COVID-19 is changing our lives, both personal and professional. Many of those things we previously thought of as important are paling into insignificance; for example, cash has little value in a social distancing world. Other aspects of our lives that we perhaps took for granted are brought into stark relief, most evidently being able to meet up with close family and friends. Data privacy is not immune to the impact of COVID-19, and decisions are being made about data privacy during this pandemic that should be giving us all pause for thought.
The rule book has gone out of the window
Those involved in fighting the pandemic on the front line – health workers, care workers, government agencies, and more – have been adapting to challenges, demands, and requirements on an hour-by-hour basis. One overheard comment: “The rule book has gone out of the window; I was told to use someone else’s user ID and password the other day so I could get an urgent alert out to relevant staff.”
For security professionals this sends alarm bells ringing like crazy. Many a time have we seen passwords pinned to laptops, laptops left unlocked and unattended, and many other opportunities for a security incident and breach that are, quite frankly, astounding. But now not only are some employees being told to put privacy concerns to one side in the interests of protecting life but governments are actively deploying data collection mechanisms to trace individuals who have been in contact with someone subsequently confirmed to have COVID-19.
The government of Singapore provides one such example. It has deployed TraceTogether, an app that “uses a community-driven approach to identify close contacts of users.” According to the Singaporean government’s website, the idea is that having the app on a cell phone with Bluetooth enabled identifies other nearby phones also with the app and timestamps the contact. This information can then be used if one individual subsequently comes down with COVID-19, tracing those they have been in contact with and requesting them to self-isolate.
This may give data privacy professionals cause for great concern. However, the Singaporean government provides details about how the app will be used and addresses privacy questions. It will ultimately be up to individuals whether to download the app to aid the fight against the spread of COVID-19.
Emergency legislation could contradict data privacy expectations
New laws are being enacted globally to deal with the pandemic such as the UK’s Coronavirus Act 2020. South Korea already had legislation in place following the outbreak of Middle-East Respiratory Syndrome (MERS) back in 2015, allowing health officials to “aggressively trace the footsteps of individuals who test positive for an emerging infectious disease.” According to Johns Hopkins University, at the time of writing South Korea had recorded around 10,000 identified cases of COVID-19 with 169 deaths.
In late March, Germany’s federal cabinet took similar steps, amending its Infection Protection Act to include measures designed to slow the infection rate of COVID-19. Unfortunately, those measures have come under sizable criticism for their potential long-term impact on German citizenry’s right to privacy. In short, the amendments require the transportation sector to gather considerable personal information, and unfortunately they lack the necessary co-requirement to delete that personal data after the crisis has passed.
Omdia expects similar country- and region-specific legislative actions to follow as the world continues to combat COVID-19 over the coming months and perhaps even years. Such measures, be they mandatory or voluntary, will require close and constant scrutiny not just by watchdog groups such as the Electronic Frontier Foundation (EFF) but also by those working on the front lines and those self-isolating at home. We must all take responsibility for protecting our privacy and security while doing our best to protect the privacy and security of those we work with and the organizations we work for. The rule book may have gone out the window, but our obligation to do the right thing should remain the top priority.