While the COVID-19 pandemic continues to wreak havoc, organizations in all sectors are being challenged to adapt to unpredictable waves of change. As various jurisdictions begin to allow offices and other physical operations to reopen, business leaders are looking toward employee surveillance and mobile contact-tracing systems to simultaneously protect employee health and wellness and mitigate business and operational risks.
As you review your own plans to loosen the reins and return to a new normal, consider your options carefully — or risk compromising your long-term road map.
Contact Tracing: A Tenuous Balancing Act
The process of identifying people who may have come into contact with an infected person, typically for public health reasons, has rightfully emerged as a technique leveraged by businesses for near-term survival. In the battle against COVID-19, artificial intelligence–driven technologies are being deployed at scale in the mad rush to reduce the spread of the virus.
However, this short-term solution comes with significant long-term implications because the impact of these predominantly reactive approaches warrants broader ethical debate.
While no one disputes the life-saving benefits of contact tracing, data privacy experts are concerned about the fallout from hastily deployed technologies during the COVID-19 pandemic response. The Stored Communications Act and other parts of federal law in the US include emergency exceptions that permit a company's release of personal data for government use — a public health pandemic or emergency being one example of an exceptional circumstance. This already allows technology and telecommunication companies to disclose, without individuals' consent, large amounts of data about them to the federal government, and at an unprecedented scale.
How the government uses and disposes of the data in the longer term remains to be seen. Meanwhile, your business's use of the same data is scrutinized by various compliance and regulatory requirements, even if exceptions apply during the COVID-19 pandemic response.
Businesses should, without delay, review their data privacy program to better understand the impact on employees and customers in the likely development that the states or the US government mandate disclosure of data to help with pandemic-reduction efforts.
By ensuring that any changes in the collection and processing of sensitive private information are aligned with both internal and external data privacy policies, businesses and IT leaders can safeguard against the risk of exposure or detrimental relaxing of data-handling best practices to enable pandemic-related data processing.
Public Safety vs. Privacy
Changes in operational processes can be viewed as an opportunity to reinforce your employee's knowledge in the following areas:
- The organization's privacy policies
- Compliance and legal obligations around data privacy and security
- Procedural instructions around how to handle data, including providing personal data and other sensitive data to third parties
The business still needs to define where to draw the line between safeguarding the public and being surveillant of the public. How can we reap the benefits that contact tracing provides while still ensuring that the private information leveraged is obtained consensually and used only for specified purposes?
To answer these questions, business must reinforce the primary objective — that is, the maintenance of public safety and global health. With this objective in mind, we can move to establish a set of parameters around the business use of this data. These include:
- A defined purpose for contact tracing data. Integrating contact tracing into business processes and data flows introduce ambiguities around where these datasets came from and what they can be used for. Responsibly defined boundaries around private information collected for contact tracing, leveraging techniques such as data tagging/data classification, and simply segregated storage of contact tracing data reinforces the primary objective of maintaining public health and ensuring that the data is not used for alternative purposes.
- Retention periods attached to every business process. Data collected as part of COVID-19 contact-tracing efforts should be used and retained only within the context of the pandemic. Establishing set retention periods and communicating these retention periods via privacy policies are both imperative in establishing a layer of trust.
- Documented handling procedures and elevated security. Sensitive private information collected during contact tracing often includes not just information about your employees but also people they have come in contact with. Documented and vetted handling procedures, including risk-mitigating processes such as data minimization or anonymization/deidentification of data, will ensure that appropriate consent mechanisms exist while reducing the attack surface on the contact-tracing data.
While businesses need to make quick decisions about privacy, they can also make thoughtful decisions by setting parameters and limits while ensuring employee consent. This will help both businesses and employees get through this challenging period. As noted in a recent MIT Technology Review article, "there's a strong argument that much of what we build for this pandemic should have a sunset clause — in particular when it comes to the private, intimate, and community data we might collect."