Privacy During a Pandemic

It will soon be one year since the first case of COVID-19 was reported. Ever since that first case, governments, healthcare providers and pharmaceutical companies have been under constant pressure to find a vaccine for this virus. In the meantime, governments across the world introduced mobile applications (apps) for detection, contact tracing and quarantining suspected cases. These apps help healthcare providers with remote patient administration and keep track of patients’ recovery processes. However, these apps also collect health data and personal details and track and report the movement of the mobile app users, which raises concern with data privacy professionals.¹

Some countries are adopting apps that store personal information on mobile phones until someone tests positive or is potentially exposed to an infected person. In addition, if a user test positive for COVID-19, their data will be accessed by heath authorities; therefore, consent should be obtained from the user when they register for the mobile app.² According to the EU General Data Protection Regulation (GDPR), national governments are permitted to act in the public interest, but they must limit the data they use.³

The key is to find a balance between public health and safety and data privacy. Unfortunately, there is no easy answer. In some countries, regular temperature checks and health surveys have become the norm, and in other countries, employee travel history may be stored in an organization’s systems. It is always preferred to refer to applicable data privacy regulations for compliance. As COVID-19 pandemic in accelerating, researchers will need more data to analyze. The argument is not regarding how much data can be captured, but it is about how it adds value to the research and how it is protected during its lifecycle. Compliance with applicable data privacy regulations should be the cornerstone of every data-driven initiative.

The key is to find a balance between public health and safety and data privacy.

Benefits derived from emerging technologies such as artificial intelligence (AI) cannot be ignored because AI-based systems can be used for predicting infection rates. These AI systems rely on information obtained from healthcare systems extracted through application programming interfaces (APIs). The information obtained is then processed through intelligent algorithms to project infection rate, recovery trends and fatality trends across different geographical locations and demographics. Such analysis relies on various attributes of data obtained from various healthcare systems that may relate to personal attributes of an individual as well. It is, therefore, critical to ensure that information does not contain personally identifiable information (PII) and is more generic when it gets used by the AI system. Some important points to note include:

• Data exchange through APIs should be adequately secured.
• Only required data should be exported to AI systems, which must be adequately protected for data privacy.
• AI-based systems should follow industry best practices for data security and privacy.
• The data lifecycle should be defined in line with applicable data privacy rules.

Governments and healthcare providers should also be careful with regard to cloud storage of AI-based systems. If the cloud spans various geographical locations, then data may be subject to multiple laws and regulations. It can be quite challenging to ascertain the exact location of data on a distributed cloud architecture. The AI cloud service provider should demonstrate and provide adequate assurance with regard to the location of data on the cloud. There should also be appropriate inclusions in the service contracts.

Digital measures taken by governments for tackling COVID-19 have been controversial. Some countries have established laws on how data will be restricted. For example, the Italian government established a decree to create a special legal framework for collecting and sharing personal data related to health. The German government has proposed to amend the Infection Protection Law to allow the Federal Ministry for Health to require persons considered at risk to identify themselves and provide information about their travel history and contact details. ⁴

Conclusion

Although the benefits of harnessing health data cannot be ignored, the pandemic should not be used for the surveillance of individuals. The goal must be public health and safety. There have been extreme measures taken by governments such as mandatory lockdowns and strict quarantine practices followed by penalties and fines for noncompliance. In any approach, technology plays an integral role in identifying, tracking and contact tracing COVID-19 cases and should be in line with applicable data privacy regulations.

Endnotes

¹ Mikkelsen, D.; H. Soller; M. Strandell-Jansson; “Privacy, Security, and Public Health in a Pandemic Year,” McKinsey & Company, 15 June 2020
² Bekkoenova, A.; Z. Idrizi; “In a Global Pandemic, Do We Still Have a Right to Privacy?” UNDP Europe and Central Asia, 12 May 2020
³ Op cit Mikkelsen
⁴ Organisation for Economic Co-operation and Development (OECD), “Ensuring Data Privacy as We Battle COVID-19,” 14 April 2020

Muhammad Asif Qureshi, CISA, CIA, CCISO, CISSP, PMP

Is an experienced information security and risk assurance professional with a wealth of information systems security and auditing background. He is a governance, risk compliance manager at Tawazun Economic Council. Qureshi actively participates in mentoring and coaching activities for young learners in schools and colleges. He has been a guest speaker on cybersecurity-related topics for young students. He has expertise in security transformation skills gained over the last 20 years. His achievements include establishing an information security department in his organization from the ground up. He worked with a dedicated team to build the information security architecture for his organization and has been an integral part of this team since then.