A look at the privacy rights under threat from Coronavirus and the development of new applications to mitigate. Hard won rights over the past few years could be given away too easily in the rush to find a solution. It might not be so simple to get them back…

One of the most astounding things of the last year was that people were becoming more aware of privacy issues. 2019 saw concerns about the use of CCTV facial recognition technologies by the police and an increasing ad spend from the social media networks to ameliorate the bad publicity that data breaches and misuse of personal data had garnered.

We saw an upturn in companies wanting to talk about including privacy tools, and in particular consent management, within their solutions. Maybe privacy-by-design was catching on!

Privacy rights ignored?

It is a little concerning then to see some of the applications in development to help identify the spread of Coronavirus that are not always treating the users’ personal data according to data protection law. 

Perhaps it is partly because of the mixed messages from Government. In the UK, Health Minister Matt Hancock said on Twitter that 

“GDPR does not inhibit use of data for coronavirus response. GDPR has a clause excepting work in the overwhelming public interest. No one should constrain work on responding to coronavirus due to data protection laws.

We are all having to give up some of our liberties; rights under GDPR have always been balanced against other public interests.”

Now whilst this is true and it is of course absolutely fine to use personal data to create innovative solutions that are clearly for the public good. It is important to recognise that these exceptions are time-bound to the particular need of the patient or the common good. 

It would have been helpful for the minister to ensure that any exceptional use of personal data is restricted to applications that genuinely help reduce infections and only while the infection is prevalent.

Coronavirus brings grave concerns

There is grave concern that without a planned approach to privacy processes within these innovative solutions the data will not be protected later if the solution remains in use. Similarly where the data is transferred to third parties for processing – are there controls in place to prevent the data being misused or sold on.

One of the applications that has caused concern is contact tracing. It is used to successfully reduce the number of infections in South Korea and other countries. The South Korean government app shows the routes taken by infected persons, measured by their smartphone. The concern is that it is sometimes possible to identify the individual through the places they have been.

Also, people are increasingly adopting video calling solutions while working from home. Some of these, such as Zoom, have been questioned as to the strength of their security and protection of personal data. There have been incidents of ‘ZoomBombing’ where people can join meetings to which they are not invited, exposing the data of other participants and generally causing mayhem. 

One way that companies try to avoid privacy questions is by anonymizing the data and analysing using broad datasets rather than individual data. The concern here will be how possible it might be to de-anonymize the data. A previous project test that I was personally concerned with managed to reconstitute the personal data of over 40% of anonymized health records by matching against publicly published information.

Privacy by design

In creating these new innovative applications, there should still be time to implement a privacy-by-design approach. The hope has to be that these applications will provide value, some of them in the long term. A planned approach will reduce the need to force privacy tools into an application after it has been created – a much more difficult task than implementing beforehand.

We must develop new applications to fight Coronavirus. Speed is of the essence so sometimes to serve the greater good it makes sense to work with personal data in the short term. When deploying applications to the public, however, privacy must be considered and, wherever possible, implemented. Once privacy is invaded, it can take a very long time to recover…