Can the ‘great divide’ between socially responsible collective action & the concept of privacy ever fully be bridged anytime soon?
A report just published describes a number of measures aimed at both the public & private sector that need to be taken in order to fully show accountability, whilst also delivering privacy protection in a time of pandemic.
The role of uncertainty in the current situation is self-evident. Can contract-tracing technology help to slow down this virus? Then, what will the implications of the technology be on data sharing, democracy, and the ‘much-quoted’ right to privacy?
Published this week, the report attempts to describe a series of accountability measures that everyone – organisations, companies, academic institutions – should follow to best address these issues.
The paper, which has been published by the Centre for Information Policy Leadership (CIPL) – (a global privacy & security think tank based in Washington DC, Brussels & London) – describes 12 measures that the public & private sector should follow in the context of the virus:
- Clearly defined & documented purposes of data use
Projects need evidence to support the need for data collection initially. “Each proposed project must define clear objectives to set the boundaries of what can and should be done with the data and for what purposes.”
- Proportionality test
Organisations must ensure that the amount of data it gathers is proportional to its goal. Can it achieve the same objective by collecting less is the question?
- Privacy impact assessment
Organisations need to assess the risk behind gathering data. There is inbuilt risk in sharing health or geo-location data, but also a risk in not using data-driven technology in a crisis.
- Transparency to individuals
People who participate in a project need to be able to see how it’s being used in a user-friendly format in order to build trust and acceptance.
- Robust security
This is very obvious – security needs to be in place in order to stop interference, the hacking of IT systems, & with COVID-19 particularly in mind, anything that could jeopardise the functioning of a hospital.
- Storage and use limitation
Any COVID-19 data processing must be done in a limited time frame. Following its usage, the data must not be stored or used for any other purpose unrelated to the initial purpose.
- Roles, responsibilities & training
Everyone involved in the project needs to be fully aware of their responsibilities & expectations around privacy & accountability.
- Data sharing agreements & protocols
Any organisations that share data have to define their rights & obligations. Protocols must include oversight & review mechanisms.
- Trust, but verify
Organisations need to conduct assessments and audits to verify they are following all requirements, controls and accountability measures
- Internal oversight & external validation
Oversight may be needed depending on the size/risk of a project. In some situations, a Chief Privacy Officer (CPO) would be correct, in others, a larger ethics or data advisory council or review board might be needed.
- Regulatory engagement & validation
Organisations should expect to demonstrate accountability & receive feedback by privacy regulators.
- Privacy-by-design through technical measures
Organisations should think as to how technical measures can help ensure privacy-by-design in future data projects
A basic GDPR principle – alongside lawfulness, transparency, & data minimalisation – accountability is a crucial part of data protection in the EU, where organisations who act as controllers must demonstrate it when carrying out their data processing. CIPL observes that the concept has ‘been taken on board’ elsewhere, too, with many companies appointing Chief Privacy Officers (CPO), carrying out privacy impact assessments, & in general furthering cognisance related to data protection & privacy.
CIPL hope that their guidelines will bring some degree of structure to processing data in a pandemic.
“When requesting access to or sharing of data from the private sector, governments must implement all appropriate accountability measures and protections,” the paper reads, “In particular, their requests must be based on a statutory or other legally permissible requirement and their use of data strictly limited for the purpose of a specific COVID-19 initiative.”
CIPL, linked to the global law firm Hunton Andrews Kurth, is knowledgeable in publishing guidance around data protection.
The think tank released a paper last summer explaining how standard contractual clauses (SCCs) for international data transfers should more closely align with the EU’s GDPR.
This is by no means the first paper CIPL has published on the subject of accountability, as the group has issued many papers on this subject over the last 2 years.