Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/28/2021
01:00 AM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Privacy Day 2021: Pandemic Response Data Must Align with Data Privacy Rules

Amid a pandemic, Data Privacy Day this year brings forth expanded responsibilities for organizations in the response to COVID-19.

One year ago, Data Privacy Day 2020 showed nothing more than a glimpse on the horizon of the pandemic to come.

However, this year's Data Privacy Day -- today, 28 January -- brings more widespread responsibility to ensure that the data held by public and private sector organizations alike is treated with respect, in line with relevant regulations.

While there is always more personally identifiable information (PII) than ever for enterprises to protect, this is particularly true in 2021 with the inclusion of data held by government organizations engaged in the fight against COVID-19.

Maintaining data privacy is no easy matter: the footprint of information within and beyond an organization's boundaries can make it difficult to get a handle on what data resides where, and how it is used. Yet control of the information footprint is essential to provide the appropriate protection.

Data privacy has quickly become an essential component of government responses to COVID-19. The World Health Organization (WHO) recognizes this, and released a joint statement in November 2020 about the "use of data and technology in the COVID-19 response in a way that respects the right to privacy and other human rights and promotes economic and social development."

The statement recognizes that PII and other data plays a key role in helping limit the spread of COVID-19. It also points out that if the data is used for purposes not directly/specifically related to the pandemic response, it could lead to the infringement of human rights and freedoms. The lawful requirements for the use and processing of data relating to pandemic response is highlighted, as is the importance of destruction or deletion of data.

Countries enacting either mandatory or voluntary approaches to "track-and-trace" the spread of infection must be abundantly clear about how data will be used if they hope to effectively address significant data privacy concerns, as well as keep to the spirit of the WHO joint statement. This is not only a government issue; private-sector organizations will frequently be involved in this effort, and all must protect this data.

An appropriate paradigm to apply to today's data protection efforts may be zero trust. It is a concept that has been around for a decade or so in the security world, specifically intended to remove the concept of trust from information systems protection.

A data protection policy that defines how an individual or system can accept, process, store, monetize, and otherwise manage data should be transparent, e.g. a clear statement that law enforcement agencies cannot use any COVID-19-related data, or that the data won't be sold to a health insurance company.

Furthermore, the data must be destroyed at an appropriate point in time; details of contacts of individuals who have tested positive for COVID-19 are highly unlikely to be required three months after the contact occurred. Retention of such data might be allowed under some regulations, but it is not in the spirit of the WHO joint statement, and indeed unlikely to be what individuals would desire or expect to happen.

This Data Privacy Day is a perfect opportunity for every organization to take stock of the growing need for due diligence in regard to data protection policy.

Omdia's annual report on Data Privacy Day covers responsibilities for dealing with data as part of the pandemic response, as well as the data privacy elements of ransomware, AI models, and deepfakes.

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ggoodes
50%
50%
ggoodes,
User Rank: Author
2/22/2021 | 11:43:44 AM
Crowd-source contact tracing doesn't need PII
Thanks for your timely and insightful commentary.  On Data Privacy Day it is indeed appropriate to reflect on the last year and our Contact Tracing journey.  As the joint Google/Apple Exposure Notification system shows, we can have effective, crowd-sourced Contact Tracing without exposure of PII.  Let's hope that this is our Privacy future, and that mobile operating systems continue the trend towards protecting rather than exploiting our use of connected devices.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...