How Privacy by Design Can Support COVID-19 Data Collection

Data on the novel coronavirus and its effects is changing rapidly. To better understand the spread and resulting impacts of COVID-19, major companies and governments around the world have begun implementing tools to track our movements and interactions, collecting health data and other personal information. These COVID-19 data collection efforts highlight the importance of Privacy by Design (“PbD”) and the benefits of incorporating PbD principles into data collection practices.

Key Players in COVID-19 Research

Participating organizations suggest that information collected as part of COVID-19 prevention research will ensure affected individuals are appropriately connected with local health departments and resources and supporting public health and safety efforts. Earlier this month, Apple and Google announced a partnership in which the two giants will launch a contact tracing system through iOS and Android, respectively [1]. The programs will utilize Bluetooth technology to alert users if they encounter an individual who has contracted COVID-19. Apple and Google have stated that users must voluntarily opt-in to the service, and that the service will not track geolocation but rather, proximity to other users who have also opted-in to the service [2]. Facebook announced a similar service through its “Data for Good” program whereby the company will roll out three different digital maps to assist COVID-19 data collection efforts [3]. These maps will utilize co-location technology and insights gathered from individual connections on the Facebook platform to provide aggregate data by region. Unlike Apple and Google’s service, Facebook’s program will not require existing users to opt-in [4].

Local governments are also creating health information databases focused on COVID-19. Currently a hotspot for the virus, the City of New York has developed a “COVID-19 Engagement Portal” where individuals may voluntarily and anonymously input personal data and experiences related to COVID-19 [5]. The data captured through these efforts could prove invaluable to organizations tracking the disease’s spread to identify hotspots and areas in need across the world. However, experts question the overall effectiveness of these data collections due to many being predicated on user opt-ins, as well as the extended implications of these methods on the data privacy landscape. Use of Privacy by Design in the development of COVID-19 data collection tools may provide a clear path forward for the gathering, use, and sharing of individuals’ data for public health research.

Privacy by Design Considerations

As recent privacy regulations focused on the rights of private individuals, there is a growing understanding among the public regarding the preservation of privacy and data rights. To maintain adherence with these international regulations, even in the face of crisis, the principles of PbD should guide the development and operation of data collection. The following principles of PbD can be applied to the recent COVID-19 data collection efforts of private and public organizations [6]:

  1. Proactive not reactive; preventative not remedial: This approach is characterized by preemptive measures; it anticipates risks and unplanned events before they take place. Key players can perform audits of data handling and incident response policies to ensure the planned data collection and sharing techniques are in compliance with stated policies.
  2. Privacy as the default: This principle aims to ensure that personal data is protected without any action required on the part of the individual in any information system or business practice. Purpose specification, collection limitation, data minimization, and data retention inform the principle of ‘privacy by default’.
  3. Privacy embedded into design: The technical design and implementation of COVID-19 research practices should occur under a holistic approach in the systems development lifecycle; privacy should be embedded into the technology and become a core component of its functionality.
  4. Full functionality – positive-sum, not zero-sum: Privacy by Design aims to balance the objectives of privacy and security principles, eliminating the need for “trade-offs”. Solutions that enable multi-functionality of security and privacy should be sought after; desired functions, metrics, and interests should be clearly documented.
  5. End-to-end security – lifecycle protection: Strong security measures are essential to strong privacy practices. From end-to-end, data should be consistently and securely transmitted, retained, and destroyed in accordance with internal policies, compliance obligations, and industry best practices.
  6. Visibility and transparency: Stakeholders should be assured that the handling of personal data is occurring in accordance with stated policies and objectives. Interactions with stakeholders should place an emphasis on accountability, openness, and compliance.
  7. Respect for user privacy: The interests of the individual should be the primary driver for the planning and implementation of privacy and security elements; the focus should be user centric.

A Privacy Impact Assessment (“PIA”) may also provide key information on the applicable privacy risks, threats, and impacts facing organizations participating in COVID-19 research. The performance of a PIA on a new initiative, such as these COVID-19 research efforts, can illustrate how the initiative may adhere to PbD principles. A PIA can also illuminate policy and regulatory requirements for these organizations, lending itself to the development of actionable privacy controls to mitigate unacceptable risks.

Conclusion

As the duration of the COVID-19 pandemic remains unclear, these new data collection and monitoring methods developed by Apple, Google, and other organizations may persist in the long-term. Companies and governments participating in the tracking and collection of personal data pertaining to COVID-19 should consider the performance of a PIA at the onset of all related research. The results of a PIA could drive the action plan for the implementation of PbD principles to tackle any gaps identified during the assessment. Moreover, remediation of high-risk items identified through a PIA can provide significant reductions to the potential impact of privacy threats on an organization’s finances, compliance, and reputation. Even in these uncertain times, it is paramount that companies abide by ethical best practices and prioritize principles of PbD in all aspects of data collection, keeping user-centric interests at the core of all operations.