Many actions have been taken to address the COVID-19 pandemic. Some involve penalties for the spread of misinformation in Bosnia and Herzegovina, the derogation of some human rights in an emergency in Romania, Armenia and Latvia and companies like Palantir and Clearview AI negotiating partnerships with US state agencies for infection monitoring by surveillance, geolocation and facial recognition. Each of these, and many others, should do more than raise an eyebrow amongst the global privacy practitioner community.
Low privacy maturity
Starting at the lower end of the scale, an article entitled, “Protecting Privacy During an Infectious Disease Panic” was published in 2014. The context of the article was the Ebola outbreak, and a situation where media were obtaining and publishing information about individual Ebola patients to their individual detriment. Author Maruca noted that, “Another real or perceived ‘urgent’ situation could arise at any time without warning, and implementing a clear-minded, rational privacy protocol before the next crisis occurs is sound and smart strategy.”
Maruca continued, “Imagine the following scenario greeting you one morning: It isn’t stressful enough that you have just learned that a patient is being evaluated for a suspected case of a dreaded infectious disease in your hospital—now the patient’s name and photo are appearing all over the national news … [becoming] as familiar as those of tabloid celebrities.”
Unfortunately, the scenario Maruca warned about played out recently under the COVID-19 pandemic in Indonesia, a country lacking in privacy protection. In this case, the first two COVID-19 patients in Indonesia found the adverse media coverage created by the Indonesian president – who identified the two patients to the media – not only took a significantly greater mental toll on them than the disease itself, but also negatively impacted their neighbors’ privacy due to the subsequent live media coverage of their housing complex. Indonesian President Joko Widodo has since called for calm and to respect patient privacy. Maybe the lesson has now been learned.
Personal location data as a means to track COVID-19, and more?
Getting more complex, this March, US President Donald Trump entered discussions with tech companies about how Americans’ mobile location data could be used to track COVID-19, barely a few months after the New York Times highlighted how US telecommunication companies already share highly detailed individual location data for commercial gain.
The government’s desire to track its citizens’ location – ostensibly in the context only of COVID-19 – is not only happening in the US, it is also happening in several other countries. The concern is about the impact of this is on “civil liberties,” especially if the efforts are sustained and even extended beyond the pandemic, and without the knowledge of Americans. Overall, what mechanisms will be available to hold these governments to account for the surveillance, and the supposedly temporary, emergency breach of privacy, once the pandemic is over?
Google’s continued healthcare data aspirations…
At the same level of complexity, a recent ISACA Journal article, “Whose Data Is It Anyway,” detailed some of Google’s considerable healthcare data aspirations. Following hot on the heels of Google’s recent acquisition of Fitbit in line with these aspirations, its new service provides access to COVID-19 testing sites, but may also impact privacy. Specifically, the service’s privacy policy declares that the site collects users’ personal information, and that to access certain functionality, that the user must log in with their Google account. It’s the latter that’s a particular privacy challenge, potentially exposing the user’s personal data to the entire Google ecosystem.
Clearly there is potential for the abuse of privacy in the name of the pandemic. According to Privacy International, “[u]nprecedented levels of surveillance [and] data exploitation…” are being put in place in response to COVID-19, some imposing restrictions on freedoms, privacy and human rights. The concern among privacy professionals is whether these (emergency) activities will come to an end once the pandemic is over.
Some continue to argue that data is a corporate asset, able to be used in any way for commercial gain because of the investments the organization has made in organizing and analyzing the data. The question to corporations is where the asset leverage part stops, and where the respect for us as human beings begins. Contrast this against emerging privacy legislation like GDPR, which recognizes that data belongs to individuals rather than to corporations, and in so doing, not only recognizes privacy as a basic human right, it is also thereby simultaneously sympathetic and respectful to human beings as the victims of the COVID-19 pandemic.
Data privacy is at least as topical in the midst of COVID-19 as it has ever been, with the pandemic introducing an ever-changing and increasingly complex landscape for the privacy professional to navigate. By designing the appropriate privacy controls, organizations not only demonstrate respect for us as human beings, it also helps to strengthen our trust in those organizations in a world where trust seems increasingly compromised. Any institutional steps taken toward recognizing a base level of skills required to comprehensively manage privacy risk, not only from a compliance perspective, but also from the perspective of advancing in-depth technical knowledge while reinforcing privacy as a basic human right, should readily be embraced by the global professional privacy community.
Editor’s note: ISACA’s new technical privacy certification, Certified Data Privacy Solutions Engineer (CDPSE), is coming soon. Find out more at https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer.