Data Privacy Day 2021: Pandemic Response Data Must Align with Data Privacy Rules

One year ago, Data Privacy Day 2020 showed nothing more than a glimpse on the horizon of the pandemic to come.

However, this year's Data Privacy Day -- today, 28 January -- brings more widespread responsibility to ensure that the data held by public and private sector organizations alike is treated with respect, in line with relevant regulations.

While there is always more personally identifiable information (PII) than ever for enterprises to protect, this is particularly true in 2021 with the inclusion of data held by government organizations engaged in the fight against COVID-19.

Maintaining data privacy is no easy matter: the footprint of information within and beyond an organization's boundaries can make it difficult to get a handle on what data resides where, and how it is used. Yet control of the information footprint is essential to provide the appropriate protection.

Data privacy has quickly become an essential component of government responses to COVID-19. The World Health Organization (WHO) recognizes this, and released a joint statement in November 2020 about the "use of data and technology in the COVID-19 response in a way that respects the right to privacy and other human rights and promotes economic and social development."

The statement recognizes that PII and other data plays a key role in helping limit the spread of COVID-19. It also points out that if the data is used for purposes not directly/specifically related to the pandemic response, it could lead to the infringement of human rights and freedoms. The lawful requirements for the use and processing of data relating to pandemic response is highlighted, as is the importance of destruction or deletion of data.

Countries enacting either mandatory or voluntary approaches to "track-and-trace" the spread of infection must be abundantly clear about how data will be used if they hope to effectively address significant data privacy concerns, as well as keep to the spirit of the WHO joint statement. This is not only a government issue; private-sector organizations will frequently be involved in this effort, and all must protect this data.

An appropriate paradigm to apply to today's data protection efforts may be zero trust. It is a concept that has been around for a decade or so in the security world, specifically intended to remove the concept of trust from information systems protection.

A data protection policy that defines how an individual or system can accept, process, store, monetize, and otherwise manage data should be transparent, e.g. a clear statement that law enforcement agencies cannot use any COVID-19-related data, or that the data won't be sold to a health insurance company.

Furthermore, the data must be destroyed at an appropriate point in time; details of contacts of individuals who have tested positive for COVID-19 are highly unlikely to be required three months after the contact occurred. Retention of such data might be allowed under some regulations, but it is not in the spirit of the WHO joint statement, and indeed unlikely to be what individuals would desire or expect to happen.

This Data Privacy Day is a perfect opportunity for every organization to take stock of the growing need for due diligence in regard to data protection policy.

Omdia's annual report on Data Privacy Day covers responsibilities for dealing with data as part of the pandemic response, as well as the data privacy elements of ransomware, AI models, and deepfakes.