Amid the on-going global health crisis, questions and concerns circulate over the future of privacy. Now, with the increasing deployment of contact tracing apps, headlines like, “Can You Track COVID-19 and Protect Privacy at the Same Time?,” are appearing regularly. While the increased attention on data privacy is important, let’s focus on the basics and remember that data collection and surveillance is not new.
As we look towards our future, it’s important to first acknowledge the recent past. The principles of privacy are not new. Discussions about privacy have been growing steadily on the global stage over the past several years. The most prominent example is from just over two years ago, when the European Union (EU) ratified the General Data Protection Regulation (GDPR). This was a watershed moment – not only for those in privacy and risk management – but for organizations around the globe. While privacy regulations exist at different levels in various regions around the globe, this concentrated effort redefined how businesses should store, manage, secure and use personal and sensitive information. The GDPR also helped the global community acknowledge the pivotal role data has in the digital economy.
Now in 2020, “it’s raining privacy bills,” particularly in the United States. From Washington to Florida, State houses recognize that action needs to be taken to protect people. On the heels of the GDPR two year anniversary, a draft bill (Data Accountability and Transparency Act of 2020) was introduced to the United States Senate that would bring GDPR-like protections to the U.S. This is just one of many bills, but goes further to hold data custodians accountable to safeguard our information. The progress is positive and a lot more needs to be done.
In the middle of a global health crisis, the topic of privacy is mainstream news again. However, with the GDPR in mind, governments are looking to limit the amount of data transferred by contact tracing apps to local agencies.
Will this health crisis change our perception of privacy? It’s unlikely.
Until something material happens, privacy is a background issue that many citizens don’t think about actively over the course of their daily life. Consumers are already programmed to hand over personal data in exchange for something they want. The same trade-off applies today: do I activate a contact tracing app to stay safe, or do I avoid it to maintain my privacy? In some parts of the world, downloading these apps are mandatory. In countries like Iceland, voluntary adoption surpassed 40 percent.
For those, like myself, who work in healthcare, the issue of privacy and data security is not a phenomenon or a fleeting moment – it’s what we do every day. We have regulations that govern our actions and inform our business operations. That said, businesses are reopening and may be required to start collecting sensitive health data on employees and customers. For many, this is likely the first time they’re challenged with securing this type of data. What steps should they take to prioritize privacy?
Go slow. While this is contrary to the mantra of modern business, when it comes to privacy, get it right the first time. A data breach of any health data could have catastrophic impacts, such as reputational damage. Pay careful attention to how you manage and secure this data as a way to enable greater efficiency long-term.
Rely on your peers. Many in the healthcare and financial services community have navigated the challenge of securing personally identifiable information (PII) for years. We have best practices and know what vendors to trust. Don’t make assumptions based on a vendor pitch in your inbox or the guarantees of an Internet display ad. Take advantage of the resources provided by independent organizations, and your colleagues who have already tested the waters.
Put increased attention on third-party risk. Whether an external vendor is implementing parts of your privacy program, or they just have access to your network, monitor them carefully. Conduct the necessary assessments beforehand and implement governance to ensure vendors only have access to use the systems and information they need for their specific job.
Limit the data you share. If you’re in a position where data needs to be shared across functions or outside of the business, limit what is moving and ensure it’s the minimum required. It’s imperative that you know what data is being shared and with whom in the information supply chain.
In many ways, the conversation about privacy is in its infancy – particularly in the United States. In my view, it is not a black and white discussion. It’s complex and subjective. That’s why I advocate for doing what is right versus what needs to be done.
Data has value. It’s not just a set of numbers or information; it’s derived from a human being. With that comes incredible responsibility. Whether you work in compliance, risk management or information security, don’t forget that the actions you take have consequences beyond the walls of the business. It’s not enough to worry about just your shareholders. Remember that your stakeholders (customers, partners, employees) are impacted by the decisions you make related to securing and managing data.
Kevin Haynes is Chief Privacy Officer at Nemours Children’s Health System.
Check out his recent discussion with Security & Compliance Weekly on how Nemours uses Archer to manage compliance risks