In July, Guernsey Partner Richard Field and Cayman Islands Counsel Peter Colegate examined the unprecedented challenges facing businesses in respect of data protection and cyber security in the grip of the global pandemic. They discussed some of the information management and data protection strategies that businesses would need to adjust to keep up. Now that working remotely is becoming less of an emergency response and more of a long term strategy for many businesses, we revisit some of the issues with a fresh perspective. We also hear from Appleby's Head of Information Security, Michael Hughes, on the importance of ensuring that your entire supply chain, including your lawyers and corporate service providers, employ robust and secure systems and techniques to protect your data and your business.
As the world enters the second wave of COVID, there is a growing risk that the erosion of personal privacy will become another casualty of the pandemic.
Worldwide we have seen governments harness data collected from mobile phones, thermal imaging cameras, drones and facial recognition software to identify at-risk individuals and track their location, movements and other data points, including body temperature. Shelter-in-place orders have forced many families to replace traditional offline activities with online alternatives, leading to the disclosure of personal information and the creation of new digital records that would otherwise not have existed. Voluntary self-disclosure on social media platforms has also increased, resulting in private information that was not typically recorded being captured and stored electronically. More worryingly, forced or late adopters to online tools, such as the elderly, disabled, and lower-income households often lack the knowledge or support to adequately understand the privacy risks inherent in those activities. The risk of exposing sensitive data has also increased as organisations have shifted rapidly to remote working, with employees accessing and transmitting data in locations that may be less secure, accessing corporate data via personal devices and across networks and platforms that may be more vulnerable.
Privacy rights, once relinquished, are rarely regained. Principles of transparency and proportionality are critical during these times and should apply to any organisation using individual personal data to address COVID-related problems. Organisations must be proactive by designing privacy into any technology solutions, with particular care to implement strong privacy protections that safeguard the vulnerable. A good example of this approach is the "exposure notification" tool recently developed jointly by Apple and Google. The two rivals worked together to build an app that uses Bluetooth technology to provide an alert to a user that he or she has been in close proximity to or in contact with someone who had been exposed to the virus. Importantly, the tool was designed so that the data would only stay on the recipient's phone for 14 days and would then disappear. The tech giants also ensured that the tool would not mark the location where the contact occurred and that the data would not be available to employers, insurers, governments or health authorities.
Data Protection Rights and Obligations
For most European-style data protection regimes, personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual. Personal data holdings should not be excessive in relation to the purposes for which the data was collected and should be securely purged once those purposes have been fulfilled. If personal data are processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so which has been notified to the affected individual.
Data protection laws generally give individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted. Data retention periods vary, but each data controller must determine for how long data should be kept and ascertain how they might be securely deleted once the purposes for holding the data have been satisfied (in this case, this will itself vary from a short timescale (i,e, restaurant collecting a list of diners for "track and trace") to a longer one (government assessing infection trends and cases)).
Where personal data holdings are shared between parties, contractual or other provisions should be put in place between the data controller and the third party processor to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that incident response plans are in place in the event of a data breach. Use of subcontractors by the service provider without the prior approval of the data controller should be prohibited, particularly where international transfers of data are involved.
Getting the Balance Right
As organisations plan for the new normal, there remains concern among both employers and employees about safety in the workplace. If employers can effectively compel employees to have temperatures monitored or to wear masks, could they also compel them to use apps which provide an early warning of symptoms and indicate the potential to be infectious? For the employer, it is a fine balance between the duty of care for the workforce as a whole, and the duty of care for the individual worker.
Other workplace confrontations may be brewing as well, as employers consider implementing other technologies, such as artificial intelligence, to enforce social distancing and safe work environments. Just as technology can be used to help workers do their jobs remotely, it can also be used to determine whether those same employees are actually working when they are no longer in the office. The news that an online beauty product fulfilment business had been tracking its workers' hours, keystrokes, mouse movements and viewing screenshots to see what was being done has been met with a significant backlash, for example. As a result, "mission creep" and misuse of data is likely to become an increasing concern.
To ensure the protection of personal data and build trust, organisations need to focus on the following:
- Ensure there's a clear legal basis for the collection of personal data
Individuals need to understand how their data will be managed, secured, used and deleted when it's no longer required. Organisations should review and consider their privacy policies to ensure relevance and that they match the activities being carried out. These notices should disclose why the information is being collected, what the organisation will do with it, how long they'll retain it, when it might be shared with a third party - particularly where that is a government or health agency – and who data subjects can contact if they have any questions.
- Privacy by design
It's much easier and safer to design privacy into new technology than it is to bolt it on as an afterthought. Crucially, this is also central to many global privacy laws, including the GDPR. Organisations will need to take a similar approach with any new technologies they deploy and underpin those deployments with privacy impact assessments to help demonstrate compliance.
- Be proportionate
Is the information being gathered necessary and proportionate? Personal information should only be shared with those who actually need to access it. For example, if an organisation needs to inform employees or customers about potential exposure to someone who tested positive for COVID-19, then they must only share the information necessary for people to assess their risk. Where possible, organisations should consider adopting pseudonymised or anonymised data sets to reduce the chance of re-identification.
- Train staff
Not only should the business identify the risks, but it should make sure that staff are also aware of them and how to handle data appropriately. A (now former) employee of a London bus tour company recently lost their job after using track and trace contact details to attempt to befriend one of the customers. Not only was it a misuse of the customer's personal data, but it undoubtedly caused the individual some anxiety. These issues have a real personal impact.
What is clear is that the future of privacy requires a concerted effort to balance appropriate crisis responses with the need to keep personal privacy intact. Faced with constantly changing guidance and opportunities to embrace new technologies, it will be vital for organisations to make decisions through a dynamic, data-driven approach. Given the lack of inter-governmental consensus as to how to handle the pandemic, we cannot expect a unified approach to the data issues arising. Awareness of the local requirements and options is therefore vital.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.