The global impact of the COVID-19 pandemic has resulted in countless technology solutions that have been developed, at rapid pace, in an effort to prevent its spread. However, many of the initiatives which require extensive data collection, such as contact tracing solutions, have raised questions around how the data is stored, shared, and used.

Data on sensitive details such as medical history, geographical location, and even credit card usage is now in the hands of numerous public and private entities that may not be well-versed in properly handling this information. Let’s dive deep into what’s at stake if COVID-19 related data is leveraged irresponsibly and what needs to be done to prevent misuse.

 

How is data being collected?

Government-built contact tracing solutions are one of the primary ways in which public data has been collected over the course of the pandemic. These vary from very high-tech solutions, like that which was put in place in South Korea to less advanced versions, like that of Bhutan.

The South Korean government’s contact tracing solution was extremely extensive. The government released an app that tracked the locations of all new visitors to the country, while registration was necessary in facilities such as gyms, restaurants, and malls, and people who broke quarantine were asked to wear a location-tracking bracelet. In addition, smart city tech was used to bolster contact tracing networks, which used data such as CCTV footage, credit card transactions, travel information, and location data.

Meanwhile, Bhutan adopted a less invasive, low-tech approach, where citizens simply tracked their own movements by scanning QR codes in different public places and on public transport. If it became apparent that people with COVID-19 had been present in a certain location such as a restaurant, office, or store, everyone else who had been there around the same time was notified. The continuous scanning of QR codes allowed the government to gain an accurate picture of how the virus spread while providing the means to alert citizens when necessary.

These two approaches lie at each end of the invasivity spectrum, but both require extensive data collection on citizens to function correctly. What’s concerning for many is the lack of anonymity around the data. Cynthia Cole, special counsel in the Palo Alto technology practice at the law firm Baker Botts, summarised it when she said “contact-tracing apps have been portrayed as anonymised, deletable, and non-violating of existing privacy laws. However, the jury is still out on that.”

In addition to contact tracing apps, significant amounts of medical data is also being gathered, stored, and shared by hospitals and system providers. When patients get moved from one hospital to another, so do their records, meaning multiple people are accessing sensitive health data – and not always in a compliant environment.

Many employers are also privy to employee health data, especially in countries where the employer typically provides health insurance. In the US, there are over 150 million people covered under employer health insurance plans – those employers automatically get access to data including employees’ positive COVID-19 tests and those of their family members if also included in the plan.

A number of employers have also been enforcing mandatory testing and temperature monitoring in order to ensure workplace safety. This practice also calls into question how this data is being stored and used.

What’s at stake if this data is not handled and protected properly?

There’s no question that the public data accessible through contact tracing is of extreme value to government bodies that seek to increase surveillance on their citizens. Many solutions give insights into granular data such as purchases at certain times, how people move around using public transport, and how much time they spend in certain places.

When it comes to employer access to data, there are already issues forming here. If employers have access to employees’ or potential employees’ health data, they could use it against them and allow citizens’ health history to impact their employment opportunities. For example, employers seeking caregivers in the US have expressed preference for applicants with positive COVID-19 antibody test results or candidates that have had the virus.

In addition, employment information was used against healthcare workers that were seeking accommodation in New York City and across the US during the height of the crisis. Many were refused housing rental or kicked out of their homes based on their heightened chance of being exposed to the virus.

 It’s also vital to recognise how minority communities have been disproportionately affected by COVID-19, and this will continue if their data is shared beyond what is necessary. For example, data on who contracted the virus in certain neighbourhoods and which locations acted as epicentres might contribute to prejudices forming about those areas. Equally, ethnic minority communities have not historically received equal access to the justice system; this would manifest further if data on people from those communities was compromised.

How can organisations and institutions ensure data privacy for citizens?

Collectors and users of data can range from national governments and public institutions to health insurance providers and private employers. In order to protect citizens’ data, they must adopt a number of best practices.

Governments leveraging contact tracing technology should make the apps and their underlying code open source so it can be accessed and monitored by external experts who can ensure the data is being securely managed. Government bodies should work towards making security around public COVID-19 a legal matter and mandate that it is used in a safe environment and not exposed to unauthorised users.

In the case that citizen data is breached, there should be legal recourse for citizens who have been victims to any such misuse. In the same way that victims of identity theft or financial attacks have access to legal recourse, government bodies should provide similar opportunities for those impacted by the unlawful use of their data during the pandemic.

 Organisations managing citizen data can open their processes for third-party review to ensure compliance with regulatory requirements. This is an area where England’s test and trace programme ran into issues, as it did not carry out a thorough enough assessment on data compliance before launching. The Open Rights Group even stated that the programme breaks GDPR data law.

All gatekeepers of public COVID-19-related data should commit to only using the data for purposes that contribute to fighting the pandemic, and ensure that they delete citizen data as soon as it loses its relevance (from 30-60 days after collection, in the case of contact tracing). In addition, organisations that are monitoring and collecting data on employees should clarify how it is being used and for what purpose from the get-go.

There’s little doubt that data holds huge value in the fight against COVID-19 and the return to some resemblance of normality for citizens. That doesn’t, however, give collectors of public data the permission to use it as they please. In order to ensure that those who provide data do not fall foul to its mistreatment, government institutions, health care bodies, employers, and any other organisation collecting, using, and storing public data must commit to extensive data protection methods and its authorised use.