The COVID-19 pandemic amplified the precarious balance of technology, security and personal health data.
At the start, organizations with varying levels of technical acumen identified that location - one’s physical position in space - was a means through which technology could help find, protect, and personalize alerts to exposure and sickness.
The basic premise: Deploy technology to identify who you were near and for how long, and pair this with appropriate alerts.
Thousands of technology solutions were created; each had different intentions and solved different parts of this complex problem. Varying individuals, teams, companies, partnerships and governments were formed on this singular basis. Some sought to improve the world, offering free services with software; others saw that their technical skills could be instrumental in solving an urgent problem; and others improved product offerings. Governments, too, saw an opportunity to use established technology to radically improve policy.
Many saw the technical challenges of personally identifiable information (PII), the sensitivity of people to geolocation data misuse, as well as a social stigma that could be associated with broadcasting a positive result. Some solutions were naive, others were interpreted as malicious, with nefarious intentions.
If you’re out to protect yourself, your employees and others by participating in a program that helps protect people from an unpredictable threat like COVID-19, then there are some key items to consider.
THE VALUE OF INDIVIDUAL DATA PRIVACY AND TRUST
People generally believe that data should be used for its intended purpose. When organizations don’t treat personal data with personal respect a loss of trust occurs between the person and the entity managing the data.
Recent incidents put the importance of personal data privacy front and center. The identity theft of millions of credit card holders (Equifax Breach), or the nation-state weaponization of social media (Cambridge Analytica), cause people to feel out of control with their personal information.
Establishing and maintaining trust includes the policies and procedures across the organization. The focus each company puts into data management is driven by these capabilities. This focus builds further trust for the participants using the product. As a data processor, this is crucial to providing the kind of personal insights necessary to influence personal behavior.
With the rise of COVID personal location collection and processing, there is temptation for using this information in ways it was not intended. Some companies and governments have begun abusing the privilege of location collection to solve problems in other areas. This betrays the users who provided the data, and often creates more problems for governments and individuals.
Two egregious examples using COVID data for non-pandemic purposes include Singapore Police and COVID Data and Israeli cell phone tracking. Location information was used without consent of the individual, and at times used to entrap people. This sets a dangerous precedent.
Too often security and privacy is an afterthought. In today’s world, personal data collected for a company's gain is frequently a decision outside the hands of the individual. The lack of control over personal information damages the relationship between the individual and data processor(s).
THE DANGERS OF INFORMATION ASYMMETRY
Many individuals are not experienced, or perhaps willing to get in the specifics of exactly how their data is used, or they do not know of places to go learn about these details. On the flip side, those companies dealing with information on a regular basis must be well informed to perform their functions properly or risk alienating people.
An individual often receives data and security training in the workplace, from various media outlets, or anecdotally from trusted contacts. The different sources, and inconsistent messaging across these sources, means that having a clear conversation about life-improving data analysis can be a challenging one. These discussions range from a lack of understanding silence at one end to intense curiosity at the other.
If there is a lack of feedback on how data is being used or handled, this does not give the data processor the right or permission to abuse the data rights expected by each person. As a data handler it’s necessary to set standards and consistent rules about how people want their data to be treated.
For example, at StrongArm we train all employees on how to handle personal information, and make sure that we as an organization are compliant by performing regular audits of our system(s) that meet ISO 27001 standards.
As conversations inevitably arise about data rights, empower your audience with critical information that impacts them directly. In your role as a person responsible for workplace safety, consider partnering with another organization that provides this trust, transparency and accountability.
THE IMPORTANCE OF LOCATION
If you’re located in the United States, the roles and regulations are highly fragmented around personal information. Today, each state has individual data protection regulations. Some states like California have passed the strictest legislation — most notably the California Consumer Protection Act (CCPA), protecting consumers from companies trafficking in personal information, and subsequently the California Privacy Rights Act (CPRA), which expands on the rights of consumers and increasing penalties for non-conformance.
Outside California, other states are reliant on a patchwork of antiquated federal and state-specific regulations. Many states lead with the Health Insurance Portability and Accountability Act (HIPAA) to solve evolving personal data protections. However, the authors of these regulations were not able to foresee, nor predict, the challenges of the connected world. Additionally, federal data protections have been mired in controversy, unsuccessfully incorporated into other (unrelated) bills, and these have been generally ‘torpedoed’ earlier in the regulation creation process.
Other countries’ citizens fare much better. European Union residents enjoy a battalion of protections under General Data Protection Regulation (GDPR) legislation protecting the individual right to control where and how personal data is used.
The first line item of the regulation set the precedent for how personal information should be treated:
The protection of natural persons in relation to the processing of personal data is a fundamental right.
Other countries are taking notice and using the GDPR as the framework for their own legislation.
THE EVOLUTION WITHIN GOVERNMENT AND REGULATORY SPACES
Government Involvement in the COVID pandemic is an evolving space, and this involvement will have lasting effects.
Different governments have rolled out different technology solutions capabilities that perform contact tracing. Two examples of these policies underscores the different roles technology has had in the fight against the pandemic.
The first is China’s and South Korea’s response focusing on the near-ubiquitous deployment of payment processor Alipay. In addition to controlling all of the citizen’s financial information, this application requires the user to present QR codes at police checkpoints, shops, and the like. The checkpoints control the movement of individuals within parts of every city and province; those without the app cannot move freely. The identification of COVID and implementation of contact tracing is swift. The scale of tracking and movement restriction is fascinating, and technologically compelling.
However, these highly effective solutions do not map directly to the principles of data rights many western citizens have come to expect.
Contrast China’s response with Sweden’s response. This is focused on herd-immunity, including limited shutdowns, and a lack of available testing. It should come as no surprise the country is missing the data other countries have on technical prevention and alerting. Therefore, Sweden’s experiment has had limited technical involvement deployed, with fewer personal data concerns.
Time will tell if the populace of countries will accept these levels of location tracking by their governments and the implications for data sharing agreements between countries, extradition, legal processes, and everyday legal matters.
Conversations in and around personal health and privacy can be complex. At StrongArm, you’ll find a focus on the principles of data stewardship, belief in empowering our customers with critical information about their workforce, transparency in data analytics, and expertise in the government and regulatory space. Using data for the proper purposes will yield the results you’re looking for - time saved, accuracy improvement, and overall, your most valuable resource -- your people -- at their best.