Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/28/2021
01:00 AM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Privacy Day 2021: Pandemic Response Data Must Align with Data Privacy Rules

Amid a pandemic, Data Privacy Day this year brings forth expanded responsibilities for organizations in the response to COVID-19.

One year ago, Data Privacy Day 2020 showed nothing more than a glimpse on the horizon of the pandemic to come.

However, this year's Data Privacy Day -- today, 28 January -- brings more widespread responsibility to ensure that the data held by public and private sector organizations alike is treated with respect, in line with relevant regulations.

While there is always more personally identifiable information (PII) than ever for enterprises to protect, this is particularly true in 2021 with the inclusion of data held by government organizations engaged in the fight against COVID-19.

Maintaining data privacy is no easy matter: the footprint of information within and beyond an organization's boundaries can make it difficult to get a handle on what data resides where, and how it is used. Yet control of the information footprint is essential to provide the appropriate protection.

Data privacy has quickly become an essential component of government responses to COVID-19. The World Health Organization (WHO) recognizes this, and released a joint statement in November 2020 about the "use of data and technology in the COVID-19 response in a way that respects the right to privacy and other human rights and promotes economic and social development."

The statement recognizes that PII and other data plays a key role in helping limit the spread of COVID-19. It also points out that if the data is used for purposes not directly/specifically related to the pandemic response, it could lead to the infringement of human rights and freedoms. The lawful requirements for the use and processing of data relating to pandemic response is highlighted, as is the importance of destruction or deletion of data.

Countries enacting either mandatory or voluntary approaches to "track-and-trace" the spread of infection must be abundantly clear about how data will be used if they hope to effectively address significant data privacy concerns, as well as keep to the spirit of the WHO joint statement. This is not only a government issue; private-sector organizations will frequently be involved in this effort, and all must protect this data.

An appropriate paradigm to apply to today's data protection efforts may be zero trust. It is a concept that has been around for a decade or so in the security world, specifically intended to remove the concept of trust from information systems protection.

A data protection policy that defines how an individual or system can accept, process, store, monetize, and otherwise manage data should be transparent, e.g. a clear statement that law enforcement agencies cannot use any COVID-19-related data, or that the data won't be sold to a health insurance company.

Furthermore, the data must be destroyed at an appropriate point in time; details of contacts of individuals who have tested positive for COVID-19 are highly unlikely to be required three months after the contact occurred. Retention of such data might be allowed under some regulations, but it is not in the spirit of the WHO joint statement, and indeed unlikely to be what individuals would desire or expect to happen.

This Data Privacy Day is a perfect opportunity for every organization to take stock of the growing need for due diligence in regard to data protection policy.

Omdia's annual report on Data Privacy Day covers responsibilities for dealing with data as part of the pandemic response, as well as the data privacy elements of ransomware, AI models, and deepfakes.

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ggoodes
50%
50%
ggoodes,
User Rank: Author
2/22/2021 | 11:43:44 AM
Crowd-source contact tracing doesn't need PII
Thanks for your timely and insightful commentary.  On Data Privacy Day it is indeed appropriate to reflect on the last year and our Contact Tracing journey.  As the joint Google/Apple Exposure Notification system shows, we can have effective, crowd-sourced Contact Tracing without exposure of PII.  Let's hope that this is our Privacy future, and that mobile operating systems continue the trend towards protecting rather than exploiting our use of connected devices.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34812
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34808
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34809
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34810
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34811
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.