Data Protection perspectives in a COVID age
02 - 06 - 2020
The emergency and disruption brought about by COVID-19 have created a series of data protection issues – new ones arise all the time. We have come across a number of them; they include well-meaning apps sharing details of vulnerable people within their wider communities; tracing apps; employers uncertain whether they can tell non-furloughed staff who has been furloughed (they can); questions over whether employers can advise staff that other staff might be ill (generally, they can); and the need to respond to subject access requests when resources are stretched.
As ever, the Information Commissioner’s Office have been very good at addressing core concerns – though they too have been stretched – with regular directed and clear blogs from the Commissioner Elizabeth Denham and others. In a rapidly developing set of circumstances, the challenges for them to respond clearly and at pace have been considerable. What they could not do is suspend data protection, because data protection exists for clear reasons – to protect people and their personal information. This becomes more, not less important in times of crisis when opportunistic criminals will seek to exploit slackening of people’s safeguards. It is relevant to note that the ICO enumerate their responsibilities as:
- Protecting the public interest: focusing on the information rights issues that are likely to cause the most harm or distress to citizens and businesses.
- Enabling responsible data sharing: ensuring that data can be shared responsibly and with confidence for the public good, including responding to the risk arising from a failure to share.
- Monitoring intrusive and disruptive technology: ensuring they protect privacy, while enabling innovation and supporting the economy.
The last phrases are interesting - enabling innovation and supporting the economy; not as a “thou shalt not” regulator, but acknowledging the need to support economic growth and innovation when the former, at least, is in crisis. Innovation is needed not just for economic growth, but also directly to address the needs for technologies to deal with the crisis – whether track and trace, distancing, alerting or restarting the economy.
We have encompassed a close interest in data protection within our specialist technology advisory function, and shared our thoughts on tracing apps in late April here. We see data protection as a basic right of individuals, especially in a world where mighty corporations can amass enormous amounts of data on individuals; indeed, were that a core part of their business models. This isn’t nanny-state stuff. There has to be a balance, and individuals, singly, simply don’t have the power or usually even the knowledge to raise their own defences. We have grown up in a world where we are invited, subtly and enticingly, to give out personal information to others. We do so freely and for free, because of what we get “for free” ourselves. The pages we view and the likes we give, give technology companies intimate knowledge of us, and enable them to have a stranglehold on the online advertising world; potentially over the political world, too.
The protection of individuals’ vital interests is an alternative to consent as a ground for collecting personal data, but the collection of that data might otherwise blow a huge hole in the protection of individual freedoms. For this reason the ICO are engaged in examining, and the developers of the tracing app NHSx are keen to share code and give transparency, to its tracking app. Interestingly, people are apt to say that they don’t trust the government, but they do trust the NHS; and people tend to feel that the NHS is there for them and no other reason, whereas government as such – less so. This might be simplistic – but there is a kernel there which is widely felt.
Getting the balance of data protection right in these unusual times is essential; but not by lowering our defences against abuse and misuse. By failing to understand what data protection privacy matters is about, and why, we are in danger from something other than COVID-19. Because one danger has the greater focus at a given time doesn’t mean the others become less dangerous; and the distraction of one can be an opportunity for those who seek to exploit the other. It is worth the time – as well as a legal requirement – for businesses to understand why data protection and privacy matter.