- Only collect what you need, and be able to prove it
- Don’t do any medical screening without a health care professional involved
- People will give you more information if they trust you
The world has changed dramatically the past two weeks, and many organizations now need to collect more personal information than before the pandemic. Some are asking for information from their employees to keep them safe; governments are searching for ways to triage calls to overloaded public health hotlines; and ways to track community spread to contain the virus.
Whether it’s their symptoms, their location, underlying health issues, their travel in the last 14 days, or even their age, it’s natural for people to feel scared when asked for this information. They might think they will be targeted by enforcement/confinement, or just embarrassed about their medical history. This fear may lead to people lying, downplaying symptoms, or just not providing information. That’s why it’s critical to make people feel safe when asking for information – Even if it’s mandatory.
How do we reassure people? Remind them that you take their privacy seriously. Tell them who you’ll share their information with, and if it will identify them or be anonymized. EFF has a great article on the principles to follow for COVID-19 tracking.
Telecoms and governments are exploring the use of cell phone location data or social media data for contact tracing purposes. Experts in Canada are considering the impact of cell phone location data. The UK has already received the stamp of approval from their privacy regulator to use cell phone data. “The important thing is that data protection is not a barrier to sharing data,” said an ICO spokeswoman.
In California, Google has said that its users’ location information is not specific enough to do contact tracing, so using that data would likely be considered unfit for purpose and indefensible. Proportionality can be used as a guiding principle for these types of decisions. Is the privacy invasion worth the benefit we get from the data? If the experts say the data is worthless, then no.
Sometimes the data is too good. South Korea has a system to alert people that have been near someone with COVID-19. The data is supposed to be anonymous, but the public have re-identified individuals. Two people from the data are accused of having an extra-marital affair. Goh Jae-young, an official at the Korea Centers for Disease Control Prevention, told the BBC, “At first we interview the patients and try to gather information, emphasizing that this affects the health and safety of the entire people. … Then, to fill in the areas they perhaps haven’t told us, and also to verify, we use GPS data, surveillance camera footage, and credit card transactions to recreate their route a day before their symptoms showed.”
On the employer side, you’ll want to only ask for the information needed. If it’s necessary to collect health information, they should not ask for a full medical history from an employee. Hungary’s privacy regulator also calls out forced temperature checks with a thermometer as disproportionate when required for all employees.
It’s clear that extraordinary measures are needed to combat the spread and effects of COVID-19. The question is: When all options are on the table, how far will we go?