Data privacy and the Vaccine Economy - fresh challenges ahead for enterprise users and tech providers alike

Profile picture for user slauchlan By Stuart Lauchlan January 5, 2021 Audio version
Summary:
The arrival of COVID-19 vaccines provides a glimpse of hope, but also raises fresh data privacy questions that enterprises and providers need to address.

Image of a vaccine needle injecting the world
(Image by Arek Socha from Pixabay )

With the roll out of vaccination programs underway - albeit falteringly to date - attention will turn again to a possible return to the workplace at some point this year. While the New Year crystal ball gazers were inevitably united in their 'bold' predictions that the future of work will be very different, there will still be offices and corporate buildings in which employees will expect to find a safe working environment. As diginomica noted last year, trust is the real critical factor at play here.

Clearly the arrival of vaccines can play a hugely positive role, both in the workplace and across society as a whole, but it also brings fresh challenges. A common concern that was expressed last year about tech-enabled return-to-work solutions was around personal data about employee health and how it was handled. How much information should an enterprise be looking for from its employees to make a qualified determination on their fitness for work? What happens to that data in the long term? With whom will it be shared, both internally and externally?

Those questions aren’t about to go away with the onset of vaccine programs; in fact, data collection gets, if anything, more important. The Oxford-Astra Zeneca, Moderna and Pfizer-BioNTech offerings all require two shots several weeks apart to be most effective. That means that individuals vaccine status will have to be collated, stored, tapped into etc etc by healthcare providers. Enterprise employers will also need to be assured of a staffer’s vaccine status, adding one more piece of data to be collected and managed. Robust and responsible data management is going to be a vital part of ensuring a successful societal vaccination effort and back-to-work tech solutions will need to support this.

Reasons to be fearful

Concern about data privacy in relation to COVD-19 responses has been around since the start of the pandemic. In June last year, Derek du Preez observed:

As freedoms are restricted due to lockdown and as health concerns stay front of mind for people, the willingness to hand over extremely personal data to governments, employers and businesses has no doubt increased. Just a few months ago the idea of giving a bar or restaurant your email address, telephone number, recent health history and personal details to have a drink or meal would have seemed outrageous. The dynamic has shifted considerably and new precedents are being set for what is ‘appropriate, excessive or lawful'.

And that, of course, is where opinions have varied as to what is appropriate and what is excessive. Those concerns haven’t gone away and indeed fresh examples of so-called reasons to be fearful continue to appear.

For example, Spain has caused a stir with its decision to compile a registry of those who refuse the vaccine and to share that information with other countries in the European Union. While the government insists that this will be done with “the utmost respect for data protection”, critics are worried about the precedent that this international ‘blacklist’ might create.

Elsewhere, Singapore police are to be granted permission to use data obtained by the main COVID-19 contact-tracing technology there for use in non-virus related criminal investigations. Given that the app is among the most widely-used of its kind anywhere in the world, with an estimated 80% of the population using it, that’s a lot of personal data about to be turned to a different purpose than users signed up for. The app’s download site actually promises that data will only be used for COVID tracking.

Meanwhile in the US, there’s alarm in some quarters about a call from the Centers for Disease Control and Prevention (CDC) that states should gather data, including patient names, birthdate, address and ethnicity, and submit this to a federal register. The CDC also wants states to sign up to data use agreements that could result in them passing on existing information in local databases to the federal government. That’s ringing ‘Big Government’ alarm bells among those who argue that data should remain within states, not be uploaded to a national melting pot.

The CDC counter argument is that as individuals cross state lines, so it is necessary for all parts of the country to be able to access data, such as vaccine status. It is a medical requirement, it insists, and data will not be passed on to non-healthcare federal agencies. Given the febrile state of the American psyche at present, that assurance isn’t likely to be enough to calm the conspiracy theorists. Even at state level there has been pushback on local data collection schemes, such as California’s Immunization Registry (CAIR).

Tech responsibilities

Coming back to the trust issue, some concerns might not be as paranoid as they might first appear. Research from privacy activist organization ProPrivacy last year claimed to have found alarmingly high levels of data leakage from COVID-19 tracking apps. The UK’s official NHS app, for example, was given a privacy rating of only 4 out of 10, although that’s better than Poland, where data access is offered to private firms, or the likes of Iceland, which scrapes a ranking of 2 out of 10.

There will be commentators who will counter that a privacy lobbyist group will have its own agenda here, but it’s a useful reinforcement of the need for tech solutions in this field to be above reproach. There’s no doubt that effective use of data is an essential tool in the battle against COVID-19. As Elizabeth Denham, the UK’s national Information Commissioner, put it in a recent update to her organization’s Data Sharing Code of practice:

I have seen first-hand how proportionate, targeted data sharing delivered at pace between organizations in the public, private and voluntary sectors has been crucial to supporting and protecting the most vulnerable during the response to the COVID-19 pandemic. Be it through the shielding programme for vulnerable people, or sharing of health data in the Test and Trace system. On a local and national level, data sharing has been pivotal to fast, efficient and effective delivery of pandemic responses.

That being so, tech solutions that agencies and private enterprises tap into need to be trusted. That puts particular pressure on the providers of those solutions to factor in data privacy considerations in their development. In September last year, Salesforce extended its back-to-work Work.com offering to include support for vaccine rollout. It - and indeed Work.com overall - is a good example of these considerations in practice.

Providing some insight into how the provider has gone about tackling data concerns in its COVID response solutions, Rob Katz, Senior Director, Ethical & Humane Use at Salesforce, argues that tech solutions must give individuals timely, accessible and easily understandable notice of how data is being collected and used, how it's protected and their rights to control it:

When it comes to collecting data, we're recommending that you only collect and retain the data that are absolutely essential for the solution to be effective. So when you're doing a wellness check for someone before they come into an office or before they come in for in-person learning at a school, you might be collecting their temperature, you might be collecting any symptoms that they might be experiencing, and whether or not they've been exposed to someone who has tested positive for COVID-19.

Some surveys are too intrusive, he suggests, asking too many questions to cover off every possible symptom:

Quite frankly, my son's school doesn't need to know whether he has a sore throat or a runny nose or a cough or if he has a temperature greater than a certain certain number; it just needs to know whether he's experiencing any of those symptoms or if he's been exposed recently to anyone who has tested positive for COVID-19. So from a survey design perspective, we just bundled all of those questions into a single yes/no attestation, which minimises the amount of personal health information that is collected and retained by the software and it makes it really easy to answer those questions. Making it a one or two questions survey instead of a nine or 10 questions survey is not just the ethical and privacy-first thing to do, it's also just better product development.

Once data is collected, it needs to be maintained in a safe environment. Employees need to be assured that their employers are looking after what is sensitive personal information with due care and responsibility, says Katz:

Security doesn't just mean that you keep it safe in the cloud. It It also means that you should intentionally limit access to data sets that are stored...to a clearly-defined set of individuals with the appropriate access permissions. We're talking on a need-to-know basis. So with Work.com, we recommend to our customers that they set up their workplace command centre in a separate Salesforce instance from any existing Salesforce CRM instance so that an admin in one org wouldn't have access to the other and vice versa.

My take

As vaccine programs around the world escalate, the trade-off between data protection and personal privacy that we began talking about in the early days of the pandemic is only likely to become more prevalent.

Asking tough questions about the claims made for products should be standard practice for enterprises anyway, but it is incumbent on providers of tech solutions to be able to be able to provide assurances that there is every facility to support the level of trust and assurance that many employees will need.

The arrival of vaccines provides a glimpse of a better future, but brings fresh challenges ahead. This can’t be a zero sum game. Tech can be used to fight the virus without losing trust, but data policies at enterprise - and societal - level need to be carefully assessed to support this.