Data in the Time of Coronavirus

As the experience of living through a global pandemic sinks in, we are adjusting to a new reality. Airports are half empty, hand sanitizers are the price of good wine, and if you want to clear out a quiet corner in a busy coffee shop, all you have to do is cough for 30 seconds and you will have the place to yourself. This outbreak also brings to light an interesting realization about the work that many of us have been engaged in during the last few years, preparing for privacy regulations like the GDPR and CCPA. As we follow the activities taken by public health authorities from around the world, it becomes clear that the attention organizations gave to the discovery of personal information and improving the controls over it’s update and use, has positive ramifications that extend beyond regulatory compliance.

Public health and the use of personal information

Global news reports suggest that personal information plays a critical role in the prevention and containment of the Coronavirus. As new infected patients are identified, authorities are retracing their steps to alert others that may have been exposed. People that have been in contact with infected patients are often required to quarantine themselves for up to two weeks until it can be confirmed that they do not carry the virus as well. Individuals under quarantine are tracked (with stiff penalties for breaking it) and the cycle of notifications continues if they become symptomatic.

Collecting and analyzing personal information from across the country allows the authorities to identify groups and zones that are at a higher risk to contract the virus. This leads to additional steps on a broader scale, such as including the isolation of areas or a whole country (as is the case with Italy) on top of the quarantine of individuals. As more data is collected about impacted patients, officials hope to gain new insights, such as, what makes certain individuals more susceptible to this disease.

Health officials are tapping into government databases for the personal information they need. Employers and consumer-facing organizations are expected to support this effort as well. The personal information organizations keep can be more complete, accurate or granular for use in support of the public health effort. Organizations can share personal information with the authorities for this purpose under privacy regulations; saving lives comes before protecting privacy, even under the strictest of privacy regulations.

Privacy compliance in the context of a pandemic

During the last five years organizations around the world have gone through significant efforts to prepare for and operationalize new privacy regulations. These compliance efforts revealed that previous investments in cyber security did little to address the use of personal information at the data subject level – the essence of many privacy regulations. In many organizations, the privacy compliance efforts started with the basics of information management: identify where personal information is stored in structured and unstructured formats and connect disparate data elements to form a more complete view of the identities behind the data.

While meeting the requirements of privacy regulations is a worthy cause, today we have a new appreciation for the investments in technology that enabled the discovery and control of personal information. Finding data elements and accurately identifying identities are critical on a global scale and presents a new facet of the Return on Investment (ROI) for privacy compliance. It is rewarding to know that the ability to find identities across an organization and all their related personal information serves a broader purpose than furnishing Data Subject Access Request (DSAR) reports. The ability to quickly locate the most accurate personal information of a specific individual can help save lives. Kinda cool, isn’t it?

Let’s not hide privacy behind a surgical mask just yet

Although notice, consent and data subject access are not part of the process when using personal information to address a public health emergency, there are data management requirements that organizations have improved on for privacy compliance that are still relevant during a pandemic. Data minimization is one such requirement. From a privacy perspective, data minimization means not exposing information about other data subjects and sharing just the information needed for the task at hand. From a public health perspective, data minimization means saving valuable time by focusing on the most relevant information, rather than sifting through volumes of data to find what is needed.

Using secure sharing channels to protect the data from falling into the wrong hands is another important consideration. As we think about core tenants of data protection—confidentiality, integrity and availability—it is easy to see how these principles carry a new meaning when personal information is used in an emergency. Integrity and availability are critical for a quick response. Confidentiality is especially important as we contemplate the “day after.” We certainly want to avoid the ramifications of lost data and exposed sensitive health information now and when this global scare is behind us.

Extreme situations always remind us of the basics—the things that really matter. Our ability to stop this pandemic will benefit from the increased maturity in the management of personal information that was precipitated by privacy regulations. Well managed data is not just a critical asset for the organization that uses it, it can have much broader benefits as well.

If you would like to learn more about how organizations need to refine data management practices, check out my 3-Part Blog Series:

Part 1: Rethink Data Management Practices for CCPA, GDPR and Beyond

Part 2: Obfuscate and delete the personal information of data subjects

Part 3: Associate third parties with the data subjects they process

About the author:

Sagi Leizerov, Ph.D., SVP Enterprise Privacy Solutions at Dataguise

Sagi is a Certified Information Privacy Professional (CIPP/US) with over 20 years of privacy and data governance experience. You can check out his full bio here.