How Organizations Can Prioritize Privacy During a Pandemic and To What Extent

How Organizations Can Prioritize Privacy During a Pandemic and To What Extent

It’s official—we’re living through the world’s latest pandemic. And while valuable guidelines and regulations from governments and specialized agencies such as the World Health Organization continue to alter normal life in order to preserve greater societal health, organizations and individuals are faced with another unprecedented concern—what about data privacy?

According to directions by the Centers for Disease Control and Prevention (CDC) and as laid out by the 1944 Public Health Service Act, public health authorities are one court order away from obtaining almost any data they want regarding anyone. During a pandemic like the current COVID-19 outbreak, the true scope of the CDC’s powers are brought to life and can actually be flexed—according to the CDC manual, should the need arise, public health officials can investigate or detain you, force you into quarantine, and access, confiscate, or destroy personal devices and data. Yes, during times like these, they essentially have “police powers.”

Of course, such authority stems from the government’s core duty to protect public health and safety, even if it means restricting individual freedoms. For example, when a person is diagnosed with COVID-19, public health experts must discover where the individual has been and track down everyone they’ve been in contact with in efforts to curb the virus’s spread. It’s well-intentioned, and it can save lives. 

Still, can we, and should we, draw a line somewhere regarding data privacy and security? How far must CDC powers really go? Here are some ways that organizations can keep prioritizing privacy as much as possible, whenever possible, despite the long arm of the CDC.

→ Develop (or Enforce) a Comprehensive Privacy Management Program

"If there isn’t already a privacy policy in place, there’s never been a more pressing time to establish one"

According to Ionic, a successful privacy policy framework “requires understanding all aspects of what personal data is and how it is used across all facets of your organization.” Identification and classification of data are essential, as is communicating and implementing an overarching and transparent policy (internally and externally) in order to figure out how to control and safeguard data. If there isn’t already a privacy policy in place, there’s never been a more pressing time to establish one, and international regulators agree that such a program should include:

  1. Designating a Chief Privacy Officer (or respective task force) to coordinate the program;

  2. Enacting data security policies and procedures before then educating staff regarding such;

  3. Cataloging data, conducting regular risk assessments, and regularly testing implemented privacy controls/procedures for each business operation; and

  4. Building privacy principles into product development and research.

→ Understand What Information to Provide

Privacy experts have warned that “there is a balance to be struck between protecting private health and ensuring privacy rights aren’t infringed as both the government and employers take efforts to tackle COVID-19.” So far, ICO and DPC guidance are that employers must continue to respect data protection principles—e.g. securing personal data by minimizing access, ensuring eventual erasure, adequately training staff, etc., while keeping personal data collections, including health details, location or travel details, to the minimum amount that’s required.

Even still, employers must stay informed. Updates are emerging daily regarding different guidance on how the pandemic affects the data protection laws and guidelines of each country as governments seek to build upon their legal basis for processing data, additional data protection principles, and employers’ questions regarding the processing of employee health data. The Belgian data protection authority, for instance, stated that the processing of personal data collected through measures implemented to prevent the virus’s spread must comply with all the fundamental principles of data processing of Article 5 GDPR; in particular, companies and all employers shall inform employees and visitors about the purposes for which their data is being processed and the period for which their personal data will be retained.

→ Seek Legal Advice

However, data filtration and protection can get legally complex and contextual. As points out, “different employers may need different standards when it comes to maintaining the confidentiality of any patients diagnosed with the coronavirus—there is a much greater need, for instance, to know the identity of an individual with the coronavirus if they work in a nursing home than if they work in a large office.” Our latest pandemic isn’t just spreading germs—it’s also igniting unprecedented challenges that have broad concerns. Seek legal advice to properly set up an effective and efficient framework to tackle any potential confidentiality and data privacy risks that your organization could encounter.

→ Enhance IT Security and Stay Connected

With all this being said, privacy isn’t a concern that arises solely from the government’s need to track the outbreak. Increased risks also emerge from new work environments—something that’s becoming more pertinent as more people are being encouraged or mandated to work remotely. Such a shift comes with its own share of privacy challenges, including unsecured Wi-Fi networks or personal devices, inept firewalls and antivirus software, and/or the lack of updates, backups, and encrypted communications. 

Knowing that, there are many ways that organizations can impose safety measures that mitigate these potential security breaches and data loss. Employers must assess any and all probable and potential security risks posed by remote work arrangements, pre-vet and authorize specific employee devices, and install properly configured security measures such as firewalls, antivirus software, etc., all while enforcing safety protocols, including multifactor authentication, additional credentialing, and VPNs, among others.

"all personnel must be encouraged to stay alert and inform leadership in the case of a possible security breach, risk of data loss, or privacy concern"

Employers should also proactively remain connected to their employees and keep everyone aligned despite the recommended social distancing that requires physical separation. Forbes contributor and executive coach Alisa Cohn encourages leaders to carve out daily meetings in a “virtual situation room” with a specialized leadership team, to convene with a mandatory call to keep everyone connected and updated, and to share situational updates with the rest of the company. Moreover, all personnel must be encouraged to stay alert and inform leadership in the case of a possible security breach, risk of data loss, or privacy concern.

→ Engage in Contractual Protection with Suppliers and Clients

Still, a prominent Hong Kong law firm cautions that companies may yet be vulnerable to confidentiality and data privacy risks from remote home arrangements, and improper safety measures could be “epidemic” for those organizations. Their suggested “cure” to mitigate such risks includes contractual protection, including with IT suppliers. This means the inclusion of representations and warranties from providers, and the inclusion of an indemnification clause to ensure risk allocation in case of default. Regarding clients, it mandates inclusion of liability exclusion or limitation (e.g. capping professional liability) and the inclusion of disclaimers in contracts and websites to disclaim the organization’s associated IT security risks.

→ Prioritizing Privacy

In the event of a public health emergency such as the current pandemic, privacy legislation can’t and shouldn’t impede the work of public health officials. Even so, it’s probable that these public health authorities perhaps aren’t as well-versed in safeguarding the additional amounts of data they’re investigating or handling during such a singular moment, especially since panic-evoking outbreaks such as the COVID-19 pandemic also tend to blur the lines of what’s “necessary” or “reasonable.” And while the Constitution of the United States sets our framework to an extent in saying that the government’s exercise of public health police powers must be necessary, reasonable, proportional, and avoid harm, organizations must remain vigilant, updated, and keep their people’s health top-of-mind.

About the Author

Avani Desai

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not-for-profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

Follow on Linkedin Visit Website More Content by Avani Desai
Previous Article
Schellman Stories: A Tribute to My Father
Schellman Stories: A Tribute to My Father

May is Asian and Pacific Islander American Heritage Month. Schellman's Danny Manimbo shares a tribute to hi...

Next Article
Socially Distant PCI DSS Assessments
Socially Distant PCI DSS Assessments

The PCI SSC has published blogs and guidelines for when remote work is necessary, including the Remote Asse...


First Name
Error - something went wrong!