The global pandemic has significantly impacted our lives and raised ethical and privacy concerns for individuals, companies and society as a whole. While the more authoritarian countries such as China and Singapore mandated strict quarantining, social distancing and mask-wearing for citizens early on in the pandemic, the U.S. has relied more heavily on voluntary compliance, which allows for outliers who protest public health measures they feel restrict individual rights and freedoms afforded in a democracy.
Mask wearing and compliance with social distancing and stay-at-home orders raise individual moral issues – what can each of us do to protect others from harm. There are many privacy and ethical issues government and companies face about how to access and use technology to confront the COVID-19 outbreak. As states open and we learn to live alongside a highly contagious and virulent virus, both the public and private sectors must make decisions about how to protect people’s privacy as well as their health and financial well-being. Privacy professionals and in-house compliance staff are grappling with how to ensure the proper balancing of employee privacy rights. They are also tasked with reviewing the proportionality and effectiveness of data collection measures.
Businesses have struggled economically during the COVID-19 shut-down crisis and now, in the process of re-opening, those that hope to remain viable must make choices about how they will continue to operate with new rules, protocols, and expectations. Companies are facing challenges of how to protect their staff from health and safety risks and ensure that they mitigate potential claims against them. Will companies check employees’ temperatures upon arrival at the workplace? How will companies use new technology for cellphone monitoring that promises to track potential spread? As always, the technology offers privacy and security risks along with opportunities.
As a public health measure, contact tracing involves working backward from infected people to identify those who many have also been exposed to the virus so that they can be tested, isolated, and treated. The idea is to control and contain the disease as much as possible within the larger society. Theoretically, the more aggressive the contact tracing methods, the fewer people will become infected or sick. Contact tracing comes in two flavors: manual and automated.
Manual contact tracing works like this: if you test positive for Covid-19, the lab reports the results to the local health department, who then assigns a trained professional known as a contact tracer. The contact tracer calls you to talk about symptoms, offer help or medical advice, and asks for the names and phone numbers of people with whom you have recently come in contact. The contact tracer then calls the people on your list, informing each one only that they’ve been in contact with an infected person–but not revealing your name. The contacted person can then test and/or self-isolate until they are no longer a health risk to others. Advantages to manual contact tracing include minimal privacy invasion as well as the opportunity for the contact tracer who builds trust to act as a community health worker. Although decidedly low-tech it’s proven to be surprisingly effective.
Automated contact tracing, however, is where more sticky privacy questions arise. If you test positive for Covid-19 you can’t contact everyone who rode the elevator with you last week. You can’t contact the jogger who sped by you in the park. Automated contracting tracing apps now abound – MIT is tracking the tracing apps – and tech giants Google and Apple have partnered to make an automatic tracing app technology that draws on information about the location of cell phones and its proximity to other people’s phones. The ideal is that public health experts can use this personal data from your phone to identify who you have been physically close to and possibly infected–while still protecting your privacy by masking your personal identifying data. Such contact tracing apps are already mandatory in China, India, and Turkey.
What are the sticky privacy and ethical issues involved in automated contact tracing, what has been called “a privacy nightmare?”
For one, unless the apps are engineered with the appropriate advanced technology to maintain very levels of privacy, the collected tracing data makes it easy to hack into people’s personal data by making inferences or linkages. At present, inconsistencies exist in app development and approaches that could lead to lack of coordination. Then there’s the danger of implementing a technology that collects more data than is required, either intentionally or unintentionally. And even if all the bugs are worked out and automatic contact tracing becomes a truly viable preventive public health measure, there’s a danger that people won’t trust the technology and therefore will refuse to use it.
In the ongoing uncertainty of the COVID-19 crisis, companies should consider regulator guidance carefully and pay attention to recommendations given. Also of concern is how much data to share with public authorities and when. Remember that it’s not all new—chances are your organization has existing crisis management, legal and HR resources in place to review and make recommendations about privacy, employee rights, and ethics that can be leveraged and adapted to the current crisis.
Guiding principles for best practices
When considering privacy and ethical issues, take into account the following:
1. Information collection must be necessary and proportionate to the harm one is trying to prevent.
2. Just because you can do something doesn’t mean you should. Ethical considerations go beyond what is legally permissible.
3. Consult resources from the Future of Privacy Forum, IAPP, The World Health Organization and various data protection regulators for information on COVID legal and ethical issues. An independent investigation of worldwide COVID-19 mobile apps by the International Digital Accountability Council (IDAC) “revealed several instances in which apps fell short of best privacy practices and posed potential risks to users.”
There is a risk that companies fail to recognize that some actions that are needed in a crisis should not become the status quo. A best practice approach is to be mindful in our data collection, step back and determine what we have learned about ethics, governance, business continuity and organizational culture to ensure we have better business resiliency without sacrificing privacy. Employee privacy is no less important than consumer privacy – and being respectful of privacy is critical to maintaining employee morale and loyalty.
Events such as the COVID-19 pandemic will force greater awareness of the common interest of protecting privacy as a legal obligation and ethical imperative.