Adopting Accountability in Data Protection Post COVID-19
Can the gap between socially responsible collective action and privacy be bridged? A new report outlines a series of measures for the public and private sector to take in order to demonstrate accountability while delivering privacy protection in a pandemic.
If one thing is certain in these rapidly changing times, it’s uncertainty. Will contract tracing technology help slow the virus? If so, what will the implications of the technology be on data sharing, democracy, and our right to privacy?
A new report, released this week, attempts to define a series of accountability measures that everyone - organizations, companies, academic institutions - should follow to best address these concerns.
The paper, published Tuesday by the Centre for Information Policy Leadership (CIPL) - a global privacy and security think tank based in Washington, DC, Brussels and London – outlines 12 measures in total that the public and private sector should follow in the COVID-19 context:
1. Clearly defined and documented purposes of data use
Projects need evidence to support the need for data collection in the first place. “Each proposed project must define clear objectives to set the boundaries of what can and should be done with the data and for what purposes.”
2. Proportionality test
Organizations need to ensure that the amount of data it gathers is proportional to its goal. Can it achieve the same objective by collecting less?
3. Privacy impact assessment
Organizations need to assess the risk behind gathering data. While yes, there is inherent risk in sharing health or geolocation data, there's also risk in not using data-driven technology in a crisis like the one we're currently in.
4. Transparency to individuals
Individuals who participate in a project need to be able to see how it's being used in a user-friendly format in order to build trust and acceptance.
5. Robust security
This is a given - security needs to be in place in order to prevent tampering, the hacking of IT systems, and with COVID-19 in mind, anything that could jeopardize the wellbeing of a hospital.
6. Storage and use limitation
Any COVID-19 data processing must be done in a limited time frame. Following its usage, the data should not be stored or used for any other purpose unrelated to the initial purpose.
7. Roles, responsibilities and training
Everyone involved in the project needs to be aware of their responsibilities and expectations around privacy and accountability.
8. Data sharing agreements and protocols
Any organizations that share data have to define their rights and obligations. Protocols must include oversight and review mechanisms.
9. Trust, but verify
Organizations need to conduct assessments and audits to verify they are following all requirements, controls and accountability measures
10. Internal oversight and external validation
Oversight may be needed depending on the size/risk of a project. In some scenarios a Chief Privacy Officer would fit the bill, in others, a larger ethics or data advisory council or review board may be needed.
11. Regulatory engagement and validation
Organizations should expect to demonstrate accountability and receive feedback by privacy regulators.
12. Privacy-by-design through technical measures
Organizations should give thought to how technical measures can help ensure privacy-by-design in future data projects
One of the core GDPR principles - along with lawfulness, transparency, and data minimization - accountability is a critical part of data protection in the EU, where organizations acting as controllers need to demonstrate it when carrying out data processing. As CIPL notes, the concept has caught on elsewhere, too, with many companies appointing Chief Privacy Officers, carrying out privacy impact assessments, and in general furthering cognizance around data protection and privacy.
CIPL is hoping their guidelines can bring some degree of structure to processing data in a pandemic.
“When requesting access to or sharing of data from the private sector, governments must implement all appropriate accountability measures and protections,” the paper reads, “In particular, their requests must be based on a statutory or other legally permissible requirement and their use of data strictly limited for the purpose of a specific COVID-19 initiative.”
CIPL, which is housed in the global law firm Hunton Andrews Kurth, is no stranger to publishing guidance around data protection.
The think tank released a paper last summer about how standard contractual clauses (SCCs) for international data transfers should more closely align with the EU's GDPR.
This isn't the first paper CIPL has published on accountability either; the group has issued multiple papers on the subject over the last two years