We’ve recently met with Debbie Reynolds of Debbie Reynolds Consulting to discuss what awaits companies and individuals with respect to data privacy at the time of a global pandemic. We’ve touched on the future of data privacy, workplace changes, key challenges in implementing contact tracing apps and wider implications of mishandling data privacy protection.
Pandemic Impacts on the Scope of Privacy Protection
The Covid-19 pandemic has affected industries to various extents. Some businesses went remote, some transformed their business models fully, others discontinued their operation for the time being. One way the business landscape has also changed is that the public health crisis such as the current pandemic has extended the authority of the government sector.
“As you know, governments in the public health crisis can have additional powers that they wouldn’t have in normal times. In some ways, there’s less privacy protection of individuals. For example, if someone has a virus, they have to notify certain people, and because this is a massive pandemic, more people need to have their medical information shared in some ways, that otherwise wouldn’t have been done.
This of course varies from country to country. “Some countries have managed to do this better than others. Some governments want to be able to protect the privacy of each person as much as possible, but the problem is that they’re not able to do it to the extent they normally could in regular circumstances.
Europe vs the US: How Health Data Protection Differs
There are many differences between Europe and the US in terms of how they treat health information and in terms of regulatory requirements that regulate data retention.
“In the US, health data is protected in a medical setting, eg. in a typical doctor-patient relationship. There are federal laws that stipulate how this information needs to be protected. In the case of a pandemic, you still have this information protected in some regard, but because of the public health issue, other people may need to be involved. This brings us to the topic of contact tracing.
“The difference between Europe and the US is whether or not someone volunteers the information or if the information is used in contact tracing apps. People who volunteer their information on apps or outside the medical situation don’t have their information protected in a medical sense, because at that point, it’s considered consumer data.
“On the other hand, in Europe, regardless of how the information is disseminated, it still has health protection. In Europe, data protection follows the data, whereas in the US this is not the case. This is the issue with people giving info to apps like Health Tracker or Fitbit, which essentially means they are giving information to private companies.
“Also, in the US, you don’t have universal healthcare. A lot of people can be discriminated against in healthcare insurance because of publicly available information or health information that they have given to their employers for instance. So, that’s very different from Europe. Again, in Europe, it’s different, the GDPR mandates that the companies need to be more transparent about how they handle your data, and they need to get your consent.”
Changing Nature of Employer Role in Privacy Protection
Another thing that the COVID-19 pandemic has changed is workplace dynamics. Before, asking someone about their health was a nicety, and now it seems to be a necessity.
Businesses who can’t work fully remote and depend on returning to the office to survive have to untangle the question of boundaries in sharing and communicating their employees’ health information.
“In a workplace setting, the employer shouldn’t be giving the information outside a healthcare profession type of situation. The way that the process should go is that the health provider gives the information and they would only contact the employer on a need to know basis. But the employer doesn’t have the right to disseminate the information. Whereas healthcare providers may share information with employers, the employer should not be sharing the information.
“Let’s say a person in a company has the coronavirus. People are concerned that this person may have infected others at work. The health provider may contact the employer and inform them that the person is infected and that they may want to possibly quarantine other people in the workplace. But even in this situation, the employer should try to err on the side of not giving too much information about the employee. That’s crucial. In practice, this means that if for example, John works within a particular group of coworkers and tests positive, the employer could communicate that someone in this group has the virus and that they should quarantine, or seek medical treatment or get tested. The goal is to not give too much information.
“A lot of the health information gathered about COVID-19 and people would not have necessarily been something that the employer would know, but because now when you go to work, the setting has changed. The company might take your temperature; facial recognition and heat cameras are used. People are more interactive in terms of their health and it might feel strange. Suddenly, all your health information is merged with the business setting.
“All this information can be stored for a period of time, and it’s challenging to keep privacy protected. But it’s also challenging for people. Some people, even though they have a fever, still want to go to work. They’re not in a position to skip work of self-quarantine. They don’t have the job that pays to go home or skip work, and that’s a problem, which is handled differently from state to state.”
Contact Tracing without Trespassing Regulations
Contact tracing has proven to be an efficient way to curb the spread of the pandemic and allows us to act quickly. It lets health authorities identify everyone who might be infected and by putting them into quarantine, prevent further cases of infection. With the COVID-19 outbreak, many public sector agencies and private companies have turned to contact tracing apps. We talked to Debbie about their role and privacy concerns.
“For me, contact tracing is a profession, not an app. The apps that do contact tracing are not taking the job of the professional who does contact tracing. And there have been problems with apps because every nation has to decide how they want to implement contact tracing apps. It’s been done differently from country to country, because it depends on each country’s privacy laws.”
“Just recently, there was an issue with a contact tracing app in the UK, because it was implemented without data privacy impact assessment, which is a requirement stemming from GDPR. In Australia on the other hand, a privacy impact assessment was done before rolling out their app. So, this is all publicly available information and everyone is able to see how the app works. But as I’ve said, the apps work differently from country to country, depending on the laws. Some countries don’t use these apps as they are too intrusive and they can’t control the info once it gets out into the private sector.
“Google and Apple have created a capability on smartphones for them to communicate and bounce information off each other based on proximity and how much time someone’s been together. That’s a capability they have created, whether you use contact tracing or not, the capability exists. As a user, you can turn the capability on or off, but most apps will force you to turn it on because they won’t work otherwise.
“Now, the way the capability was implemented and the way it works in practice is the following: you have a contact tracing app on your phone. You first have to volunteer your info when signing up for the app, e.g. ‘let me know if I have been around someone with Covid-19’. If the other person also notifies the app that they have tested positive, then you’d get the notification to contact a medical professional or to quarantine, or something similar.
“Companies who create contact tracing apps don’t want to be responsible if something goes wrong. This way, if there’s a data breach, their stance is that they made the app use anonymous data, so you can’t breach a person’s privacy. However, that might not always be the case, because all companies/states that implement the apps can decide where they store the data, whether they will centralize the data on a server somewhere so they can compute the statistics. It doesn’t mean it can’t be hacked.
“And the problem is that once you use these apps you have very little recourse. Let’s say the app doesn’t work the way it’s supposed or the info is breached. Because you agreed to use the app, you have very little redress against the company.”
In terms of global statistics, contact tracing apps don’t add as much as often portrayed. “Less than 45% of people in the world have smartphones, so the majority of people don’t have smartphones or contact tracing apps. The apps are not that helpful on a global scale, so the statistics are very skewed, you can’t know for sure who’s been infected. That’s why contact tracing as a profession is very important: these professionals need to contact everyone regardless of the phone someone has.
“A concern I have related to contact tracing apps is how the data might be used. The capability I’ve mentioned earlier is created to have smartphones communicate with each other. Apple and Google are trying to restrict this capability to contact tracing apps. The way they do it is that every nation has to pick an app that will be used for contact tracing. The app will be allowed to use the capability, but once it’s implemented or the nation switches to another app, there’s no guarantee that Apple or Google won’t allow other apps, that have nothing to do with healthcare, to access that information.
“There’s a lot more data collection right now about people and the danger is having that data merged to identify individuals. For instance, you walk into a bank and the bank can tell you have a contract tracing app. It could happen that the bank decides not to give a loan or deny insurance to people based on health data accessed via contact tracing apps.”
Still, despite the many turbulences it brought about, the Covid-19 pandemic has also sparked interest in data privacy. “I feel like people are becoming more aware of what is private and what isn’t, people are starting to care a bit more about privacy, especially in the US, where people use apps a lot; now, they question whether aps are secure or not.”
Debbie Reynolds, also known as the Data Diva, is a renowned tech expert, published author, thought-leader and advisor to international corporations. Her expertise ranges from data privacy, data protection, eDiscovery, consumer financial protection and EU and US privacy protection legislation, to name a few.
Jatheon is a global leader in enterprise information archiving, with 16 years of experience in providing on-premise, cloud and virtual archiving solutions to regulated industries in the US and beyond. To learn how you can gain control over your business data with Jatheon, and prevent data loss, contact us or book a personal demo.