COVID-19 FOCUS: A perspective from The International Association of Privacy Professionals

As organisations across the world grapple with the pandemic, PrivSec Report speaks to Müge Fazlıoğlu, senior research fellow at the US-headquartered IAPP, about the ongoing privacy and data protection challenges.

As Senior Westin Research Fellow at the Westin Research Center, an in-house International Association of Privacy Professionals (IAPP) resource producing research and scholarship into the privacy sector, Müge Fazlıoğlu is ideally placed to comment on the privacy impacts of the Covid-19 pandemic.

“I would emphasise that privacy professionals are used to fast-paced change in laws and technologies, so I feel like privacy professionals in general have been quick to adapt and respond to the impacts brought about by Covid-19,’ she begins.

In her time at the IAPP, Fazlıoğlu’s research has been broad ranging, taking in several aspects of the pandemic as it has impacted on the daily working lives of privacy professionals.

For example, she has examined the issues and considerations around sharing Covid-19-related data with government entities, looking specifically at the legal guidance from data protection authorities around the world. From this, she was able to provide best practices that would apply across multiple jurisdictions, such as aggregating, anonymising or de-identifying Covid-19 data before sharing it; minimising the amount and types of data that is collected; limiting data retention periods; being transparent about sharing data; and keeping records of all activities around Covid-19 data requests from government authorities.

In order to quantify the extent of adaptation to the new reality of a global pandemic, The IAPP surveyed members back in mid-April about some of the changes brought about by the virus, examining how their organisations had responded, how had data practices been affected, likely future privacy impacts and how privacy professionals’ priorities had changed.

“We did ask a question… about what the biggest privacy challenges are, and the top answer was ‘Understanding privacy requirements associated with employee remote work,’ with 49% saying that has been their top challenge”, says Fazlıoğlu.

The survey found that more than 90% of respondents implemented home working for most or all employees, with 57% having ordered most or all employees to do so. Almost half had adopted new technology or contracted with vendors to enable working from home and, of those, 60% had expedited or bypassed the privacy/security review.

“As far as the implications of this go, I think we can assume some organisations have gone back over things, and sought to address gaps, clean things up, patch up security flaws, etc., but everyone is probably not completely caught up yet”, she says.

The IAPP survey also reported an uptick in employee data collection, with most organisations collecting data or diagnostic records about employee Covid-19 symptoms. 76% were asking employees to notify the company in the event of a positive diagnosis, and 60% keeping a record of that diagnosis.

“I think this is important because critical questions remain about necessity and data minimisation and retention, as well as very important questions about data security. Interestingly, keeping records was also the item that respondents expressed the most uncertainty about, with almost one-third not sure if their organisation is doing it,” Fazlıoğlu explains.

“I would say record-keeping is an important area where privacy professionals could use further guidance, because the majority of organisations seem to be doing it, and also because there is a lot of uncertainty around it. Keeping in mind things have changed since April, I think this is still an important area to consider.”

A particularly interesting plank of her work has concerned the political landscape surrounding Covid-19 in the US, which, she believes, has echoed the federal debate around privacy legislation. She has looked at proposed federal Covid-19 legislation, such as the Republican-sponsored Covid-19 Consumer Data Protection Act, which contained protections for personal information, particularly health, geolocation, and proximity data, and which was introduced on April 30, but not subsequently enacted.

“Since there has not been significant COVID-19 privacy legislation passed, at least in the US, it is clear that there are gaps and shortfalls that remain. After following the debates around the bills in US Congress, I’m still sceptical that there will be a COVID-19 bill passed, but anything is possible in the year 2020!” Fazlıoğlu says.

In May, she wrote that:

“While the COVID-19 outbreak has brought about numerous changes to our daily lives, it has not brought U.S. Congress any closer to bridging the partisan divide over the shape and scope of federal privacy legislation. Although both Democrats and Republicans in Congress have introduced privacy legislation related to the ongoing COVID-19 pandemic in recent weeks, lawmakers from either side of the aisle remain at odds over at least two key provisions: a private right of action and preemption of state law.”

Her article described “a familiar script” for Covid-19 federal privacy legislation, whereby Republicans would introduce a bill requiring consent to process sensitive data and protect individual rights, pre-empting stronger state laws and lacking a private right of action. Democrats would then introduce a bill with stronger and additional protections for individual rights, a widened definition of “sensitive data”, private right of action and a non-pre-emption clause. The issues remain unresolved and stymie a federal data privacy law.

But, she predicts: “For privacy pros, I think the issue is not so much about new laws or policies, but about how existing laws, like GDPR, CCPA, or US sectoral privacy laws regarding educational/student privacy, etc., are intersecting with COVID-19 data collection and processing. So, figuring out those interfaces I think will continue to keep privacy professionals very, very busy in the short term.”

The global picture is varied, of course, but Fazlıoğlu identified some commonalities.

“I believe that the guidance offered by most DPAs has been useful, but there are a lot of nuances from country-to-country, so it’s really impossible to create a single piece of guidance that captures everything. So, I think it’s important for companies to follow the guidance of their particular supervisory authority, and to be sure they are keeping themselves updated, as the guidance has changed and been updated regularly throughout the pandemic,” she says.

“There are some common privacy and data protection principles – such as data minimisation, establishing retention periods and deleting data, and transparency – that should be built into every company’s data management practices. These principles applied before, apply during, and will apply after the pandemic, so I think they are some of the most effective tools we have to protect privacy. And I like the sentiment that compliance is a journey, not a destination, so protecting privacy should not be a box-ticking exercise or a one-off activity. It should be a process of continuous development and engagement with the issues, which are always complex and rapidly changing.”

There is one issue thrown up by the virus that Fazlıoğlu argues is not receiving enough attention in policy circles: the risks of stigmatisation, ostracisation, and scapegoating of individuals upon disclosure of a positive diagnosis.

In a whitepaper on this theme, she wrote that these issues are “particularly worrisome, as they can lead to loss of trust in organizations and institutions that collect and process data. This lack of trust, in turn, can reduce cooperation and foster behaviors that run counter to other important societal goals, such as public health, which is of utmost importance, especially during a pandemic.”

In the paper, she warns that only considering privacy risks through an organisational lens, and not focusing on individuals, can lead to “more likely and impactful privacy risks to individuals” that ultimately damage the organisation in any case.

“Broadening this discussion by including privacy risks to individuals can aid leaders seeking to rethink and better align their privacy risk management strategies with the complex and constantly changing reality in which we find ourselves,” she said.

As governments consider further lockdowns and restrictions to contain a second spike in infections and the picture continues to be fast-evolving, Fazlıoğlu’s message that safeguarding privacy is an ongoing activity seems particularly pertinent. It is to be hoped that fresh learning from the first wave will enable privacy professionals around the world to respond rapidly and effectively to new challenges.

READ MORE COVID-19 FOCUS

Private and confidential? Healthtech and the pandemic

Contact tracing in Ireland

Compliance, cloud migration and the new normal

A perspective from the International Association of Privacy Professionals

Why building privacy trust into the NHS app is key to protecting lives and businesses


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.