COVID-19: Don’t Forget Data Protection When Designing a Response Strategy

Organisations responding to the COVID-19 outbreak have numerous conflicting challenges: should they take the temperatures of people entering their premises? Should they have employees complete health-check surveys? If so, should these surveys extend to capture family members‘ health? Is there technology that will help spot or diagnose symptoms?

Danielle Miller Olofsson has authored this article.

From a privacy perspective, organisations are still required to comply with data protection legislation that is based on the following Fair Information Practices (“FIP”s) :

• accountability
• identifying purpose
• consent
• limiting collection
• limiting use, disclosure and retention
• accuracy
• safeguards
• openness
• individual access
• challenging compliance

Although a national – global – health crisis may be used to downplay certain data protection obligations, such as obtaining an individual’s consent to process their information, it cannot be used to ignore them all together.

Below are three particularly relevant FIPs that should be considered when designing a COVID-19 response strategy.

1. Accuracy

Both public and private sector organisations must ensure that the information they process is accurate and up to date. While this may seem intuitive when applied to traditional methods of collecting and using information, it is often forgotten in the haste to deploy a « cutting edge technology » that is being marketed as the solution to the challenge of the hour.

Artificial intelligence and biometric technologies are not foolproof and often mask inherent biases and prejudices that render the results they generate inaccurate at best and discriminatory at worst. A COVID-19 response strategy based on these technologies could, if the latter prove inaccurate, cost an organisation considerable financial and reputational damage.

2. Security

Most, if not all, information processed in response to the COVID-19 outbreak will have a health component and as such, is considered highly sensitive information. It requires special administrative, physical, and technological mechanisms to ensure its confidentiality, integrity, and availability on a need-to-know basis.

Not only does this mean that the information requires protection but that employees should be reminded of their duty to keep sensitive information confidential. Also, an effective COVID-19 response strategy should clarify how people who have come in contact with a victim are to be informed without compromising the identity of the victim.

3. Limited Collection, Use, and Destruction

The COVID-19 outbreak cannot be used to justify over collection and use of personal information. If information is being collected to help control the spread of the virus, then only such information as is directly relevant to this end should be collected.

Likewise, the information should only be used to help contain the virus. It should not be used for other purposes such as building health profile of clients and employees who do not have the virus. If invasive technology is being used to track potential carriers, consider an information deletion policy that is shorter than what is commonly in place.

As organisations struggle to respond appropriately and rapidly to the COVID-19 pandemic it may be easy to overlook data protection obligations. BCF’s Data Protection Team and Labour and Employment Group can assist in designing compliant COVID-19 response strategies.