Ethical Data Privacy in a Time of COVID-19

As COVID-19 continues to spread, the data collected from those who are infected will increase greatly. As the number of infected individuals rises, so does the potential stigma associated with infection. As a result, companies that collect data indicating infection status – even incidentally – must handle that information in an ethical manner that protects the privacy of data subjects. Even when regulations are vague or nonspecific, organizations must assess the necessity of sharing sensitive information, and they must respect the preferences of their data subjects.

Extending explicit choice to consumers even when not required allows them to control their own data in a detailed manner. Organizations increasingly are realizing that this is a business advantage.

Regulatory compliance versus ethical compliance

Regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) suggest that data privacy is an increasingly universal concern. Regulations likely will continue to expand in geographic coverage and in specificity. Some companies, such as Microsoft, have taken a proactive approach and extended the protections afforded by this progressive legislation to those who reside outside the covered jurisdictions.

These extended protections anticipate the likelihood that similar legislation will be enacted on a wide scale. But a standardized regulatory framework also can serve as a foundation on which a company can build clear privacy policies and standards, keeping the rights of the consumer front and center.

Implementing an ethical data privacy framework

An ethical data privacy framework puts the rights of the data subject at the center of all data gathering activities. Organizations should be cognizant of the fact that any data gathered from consumers is essentially a loan, not the property of the organization that gathers it. Consumers must be given proper notice that their information will be used and how, and they must be provided with an opportunity to actively consent to its use. Once the business purpose for which the data has been collected has ended, the data should be deleted or de-identified in a secure fashion.Before you continue reading, how about a follow on LinkedIn?

Many companies elect to use opt-out consent, in which the consumer must take an action to limit the use of personal information. Privacy notices can be inconspicuous, and most consumers ignore them. Using an approach that allows the consumer to opt in is more ethically sound. By proactively alerting the person that they have a choice regarding the collection of personal data, organizations can make sure information is provided willingly.

The process of designing a standardized approach might result in a framework that is “over-compliant” in some parts of the world, and, initially, it will be expensive. However, cost savings are almost immediate. Organizations are relieved of some of the bureaucratic burden of starting from scratch with each new regulation. A “high-road” approach can increase the likelihood that only limited actions are needed when new regulations arise.

In addition, reporting of possible breaches is easier when data liabilities are thoroughly cataloged, so a standardized framework must include data mapping. Such an approach can make it easier to identify data subjects at risk so appropriate remediations can be taken quickly.