Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/28/2021
01:00 AM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Privacy Day 2021: Pandemic Response Data Must Align with Data Privacy Rules

Amid a pandemic, Data Privacy Day this year brings forth expanded responsibilities for organizations in the response to COVID-19.

One year ago, Data Privacy Day 2020 showed nothing more than a glimpse on the horizon of the pandemic to come.

However, this year's Data Privacy Day -- today, 28 January -- brings more widespread responsibility to ensure that the data held by public and private sector organizations alike is treated with respect, in line with relevant regulations.

While there is always more personally identifiable information (PII) than ever for enterprises to protect, this is particularly true in 2021 with the inclusion of data held by government organizations engaged in the fight against COVID-19.

Maintaining data privacy is no easy matter: the footprint of information within and beyond an organization's boundaries can make it difficult to get a handle on what data resides where, and how it is used. Yet control of the information footprint is essential to provide the appropriate protection.

Data privacy has quickly become an essential component of government responses to COVID-19. The World Health Organization (WHO) recognizes this, and released a joint statement in November 2020 about the "use of data and technology in the COVID-19 response in a way that respects the right to privacy and other human rights and promotes economic and social development."

The statement recognizes that PII and other data plays a key role in helping limit the spread of COVID-19. It also points out that if the data is used for purposes not directly/specifically related to the pandemic response, it could lead to the infringement of human rights and freedoms. The lawful requirements for the use and processing of data relating to pandemic response is highlighted, as is the importance of destruction or deletion of data.

Countries enacting either mandatory or voluntary approaches to "track-and-trace" the spread of infection must be abundantly clear about how data will be used if they hope to effectively address significant data privacy concerns, as well as keep to the spirit of the WHO joint statement. This is not only a government issue; private-sector organizations will frequently be involved in this effort, and all must protect this data.

An appropriate paradigm to apply to today's data protection efforts may be zero trust. It is a concept that has been around for a decade or so in the security world, specifically intended to remove the concept of trust from information systems protection.

A data protection policy that defines how an individual or system can accept, process, store, monetize, and otherwise manage data should be transparent, e.g. a clear statement that law enforcement agencies cannot use any COVID-19-related data, or that the data won't be sold to a health insurance company.

Furthermore, the data must be destroyed at an appropriate point in time; details of contacts of individuals who have tested positive for COVID-19 are highly unlikely to be required three months after the contact occurred. Retention of such data might be allowed under some regulations, but it is not in the spirit of the WHO joint statement, and indeed unlikely to be what individuals would desire or expect to happen.

This Data Privacy Day is a perfect opportunity for every organization to take stock of the growing need for due diligence in regard to data protection policy.

Omdia's annual report on Data Privacy Day covers responsibilities for dealing with data as part of the pandemic response, as well as the data privacy elements of ransomware, AI models, and deepfakes.

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ggoodes
50%
50%
ggoodes,
User Rank: Author
2/22/2021 | 11:43:44 AM
Crowd-source contact tracing doesn't need PII
Thanks for your timely and insightful commentary.  On Data Privacy Day it is indeed appropriate to reflect on the last year and our Contact Tracing journey.  As the joint Google/Apple Exposure Notification system shows, we can have effective, crowd-sourced Contact Tracing without exposure of PII.  Let's hope that this is our Privacy future, and that mobile operating systems continue the trend towards protecting rather than exploiting our use of connected devices.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27099
PUBLISHED: 2021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the v...
CVE-2021-28038
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during m...
CVE-2021-28039
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFI...
CVE-2021-28040
PUBLISHED: 2021-03-05
An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vulnerability in os_xml.c occurs when a large number of opening and closing XML tags is used. Because recursion is used in _ReadElem without restriction, an attacker can trigger a segmentation fault once unmapped memory is reached.
CVE-2020-28502
PUBLISHED: 2021-03-05
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.