Prioritizing Privacy During a Pandemic

January 7, 2021 Avani Desai

Data privacy is as critical in a public health crisis as ever – if not more so. Schellman & Company President Avani Desai discusses what companies can do to ensure data privacy remains a focal point in the organization’s strategy. Read the full article below or on the Corporate Compliance Insights website.

It’s official: we’re living through the world’s latest pandemic. And while valuable guidelines and regulations are infiltrating our lives from governments and specialized agencies such as the World Health Organization in order to keep us healthy, organizations and individuals are faced with another unprecedented concern: What about data privacy?

According to directions by the Centers for Disease Control and Prevention (CDC) and as laid out by the 1944 Public Health Service Act, public health authorities are one court order away from obtaining almost any data they want about any of us. During a pandemic like the current COVID-19 outbreak, the true scope of the CDC’s powers are brought to life and can be enforced; according to the CDC manual, should the need arise, public health officials can investigate or detain you, force you into quarantine and access, confiscate or destroy personal devices and data. They’ve got “police powers.”

Of course, such authority stems from the government’s core duty to protect public health and safety, even if it means restricting individual freedoms. For example, when a person is diagnosed with COVID-19, public health experts must discover where the individual has been and track down everyone they’ve been in contact with in an effort to curb the spread of the virus. It’s well-intentioned, and it can save lives.

Still, do we, and can we, draw a line somewhere regarding data privacy and security? How far does it go? Here are some ways organizations can keep prioritizing privacy as much as possible, whenever possible.

Develop (or Enforce) a Comprehensive Privacy Management Program

A successful privacy policy framework, according to Ionic, “requires understanding all aspects of what personal data is and how it is used across all facets of your organization.” You’ve got to identify and classify data, communicate and implement an overarching and transparent policy (internal and external) and determine how you’ll control and safeguard data. If you haven’t already implemented a privacy policy, there’s never been a more pressing time. International regulators agree that such a program should consist of:

  1. Designating a Chief Privacy Officer (or respective task force) to coordinate the program.
  2. Enacting data security policies and procedures and educating staff regarding these.
  3. Inventorying data, conducting regular risk and privacy impact assessments and regularly testing implemented privacy controls/procedures for each business operation.
  4. Building privacy principles into product development and research.

Understand What Information to Provide

Privacy experts have warned that “there is a balance to be struck between protecting private health and ensuring privacy rights aren’t infringed as both the government and employers take efforts to tackle COVID-19.” So far, guidance from the U.K.’s Information Commissioner’s Office (ICO) and Data Protection Commission (DPC) is that employers must continue to respect data protection principles (e.g., securing personal data by minimizing access, ensuring eventual erasure, adequately training staff, etc.) and keep personal data collections (e.g., health details, location or travel details, etc.) to the minimum amount that’s required.

Employers must stay informed. Updates are emerging daily regarding different countries’ guidance on how the pandemic affects data protection laws and guidelines as governments seek to build upon their legal basis for processing data, additional data protection principles and employers’ questions regarding the processing of employee health data. The Belgian Data Protection Authority, for instance, stated that the processing of personal data collected through measures implemented to prevent the spread of the virus must comply with all the fundamental principles of data processing within Article 5 of the GDPR; in particular, companies and all employers shall inform employees and visitors about the purposes for which their data are processed and the period for which their personal data will be retained.

Engage in Contractual Protection with Suppliers and Clients

A leading Hong Kong law firm cautions that companies may be vulnerable to confidentiality and data privacy risks from remote home arrangements, and improper safety measures could be “epidemic” for the organization. Their “cure” to mitigate such risks includes contractual protection — including with IT suppliers. This means the inclusion of representations and warranties from providers, and the inclusion of indemnification clauses to ensure risk allocation in case of default. In the case of clients, it means inclusion of liability exclusion or limitation (e.g., capping professional liability) and the inclusion of disclaimers in contracts and websites to disclaim the organization’s associated IT security risks.

Seek Legal Advice

Data filtration and protection can get legally complex and contextual. As points out:

“different employers may need different standards when it comes to maintaining the confidentiality of any patients diagnosed with the coronavirus — there is a much greater need, for instance, to know the identity of an individual with the coronavirus if they work in a nursing home than if they work in a large office.”

Our latest pandemic isn’t just spreading germs; it’s also igniting and transferring concerns and unprecedented challenges. Seek legal advice to properly set up an effective and efficient framework to tackle any potential confidentiality and data privacy risks your organization could confront.

Enhance IT Security and Stay Connected

Privacy isn’t a concern that rises only from the government’s need to track the outbreak. Increased risks also emerge from new work environments — something that’s becoming more obvious as more and more people are encouraged or mandated to work remotely. This comes with its own share of privacy challenges, including unsecured Wi-Fi networks or personal devices, inept firewalls and antivirus software and/or the lack of updates, backups and encrypted communications.

There are many ways organizations can impose safety measures to mitigate security breaches and data loss. Employers must assess any and all probable and potential security risks posed by remote work arrangements, pre-vet and authorize specific employee devices, install properly configured security measures (firewalls, antivirus software, etc.) and enforce safety protocols (such as multifactor authentication, additional credentialing, VPNs, etc.).

Employers should also proactively remain connected to their employees and keep everyone aligned despite social (physical) distancing. Forbes contributor and executive coach Alisa Cohn encourages leaders to carve out daily meetings in a “virtual situation room” with a specialized leadership team, convene with a mandatory call to keep everyone connected and updated and share situational updates with the rest of the company. Everyone must be encouraged to stay alert and inform leadership in the case of a possible security breach, risk of data loss or privacy concern.

In the event of a public health emergency such as the current pandemic, privacy legislation can’t and shouldn’t impede the work of public health officials. The downside is that public health authorities perhaps aren’t as well versed in safeguarding the additional amounts of data they’re investigating or handling. Panic-evoking outbreaks such as a pandemic also tend to blur the lines of what’s “necessary” or “reasonable.” To an extent, the Constitution in the United States sets our framework: The government’s exercise of public health police powers must be necessary, reasonable, proportional and avoid harm. At any rate, organizations must remain vigilant, updated and keep their people’s health top of mind.

About the Author

Avani Desai

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not-for-profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

Follow on Linkedin Visit Website More Content by Avani Desai
Previous Article
Preparing for the PCI DSS Customized Approach
Preparing for the PCI DSS Customized Approach

Schellman's Eric Sampson outlines PCI DSS v4.0 and what you should know before considering the customized a...

Next Article
Schellman is Now a CMMC 3rd Party Assessor Organization (C3PAO)
Schellman is Now a CMMC 3rd Party Assessor Organization (C3PAO)

Schellman & Co approved as one of the first CMMC 3rd Party Assessor Organizations (C3PAO)


First Name
Error - something went wrong!