Data collection during the Covid-19 pandemic must be done in such a way that it doesn’t create future privacy risks, experts have said.
A greater understanding of how populations move and interact, in combination with artificial intelligence, is a valuable resource in predicting how the pandemic will continue to spread.
However, balancing the societal good that can be achieved through data analysis with an individual’s right to privacy is a key consideration, raising the question of whether privacy regulations should be relaxed in order to better understand and control the public health emergency.
The contact tracing app developed by Apple and Google uses Bluetooth rather than GPS, and does not require the collection of personal data. It has therefore been welcomed by privacy advocates as an alternative to other contact tracing models.
However, some have warned that the pandemic, and an increase in health reporting and movement tracking, could be used as a reason to increase surveillance, thus having a detrimental effect on consumer privacy. In fact, according to research by Security Today, a third of people said that the Covid-19 pandemic has made them more concerned about privacy.
Speaking at a virtual roundtable from data analytics solution provider Truata exploring whether privacy is dead in a big data world, the experts warned that apparent societal good should not come at the cost of data privacy.
“You don’t get to do it just because you decide that it’s socially good”
Jules Polonetsky, privacy expert and CEO of the Future of Privacy Forum explained that the concept of social good is not always clear-cut.
“You don’t get to do it just because you decide that it’s socially good…first we need to understand if it is actually going to be effective. Scanning crowds with giant thermal sensors if the experts debate whether this is effective then you don’t have a strong data protection argument to say it’s good or it’s useful,” he said.
“Is it effective? Is what you’re doing proportional? Is it reasonable? Is it balanced? These are all concepts that are already built in to GDPR and to laws around the world.”
According to the Organisation for Economic Co-operation and Development, the unprecedented situation has led some countries to roll out new laws governing how data can be collected and processed.
This includes proposed amendments to the Infection Protection Law in Germany, which would require potentially infected people to identify themselves and provide information on their travel history or contact details. Meanwhile, emergency measures in Israel allow the government to use technology to track infected individuals by monitoring mobile phones.
UK-based charity Privacy International has warned that any extraordinary measures put in place to help contain the pandemic that involve individuals’ data must be “temporary, necessary, and proportionate” and must come to an end once the pandemic is over.
In other words, although greater data collection may have short-term benefits, it can create an erosion of privacy further down the line.
Regulation during unprecedented times
“Societal benefit is a strong argument, it puts you in the room, but you still need to show that you’re not going to keep the data forever, that you’re putting minimisation in and identification controls, that the stakeholders whose data it is understand and see and would agree with you that there is benefit,” said Polonetsky.
“You don’t just get to say it’s data for good and privacy doesn’t apply, it starts the conversation and if you appropriately balance and have the rules and rights and technology, then we’re in a serious societal good position.
“You need to ensure that when you say societal good you appreciate that there are some critics, some risks that are downsides. And you need to show that you’ve taken care of those so that it actually is ethically something that is of beneficial value to the community.”
When it comes to privacy regulation, it is generally accepted that regulations should not stand in the way of potential benefits to public health while also ensuring privacy is adequately upheld. According to McKinsey, “the consensus among European regulators and the European data protection supervisor is that the current crisis does not nullify the GDPR, but that its rules are flexible enough to accommodate the emergency measures while keeping in place adequate safeguards”.
However, some have argued that GDPR has hindered the international response to the pandemic. In an article in Science, researchers said that limits on data sharing have “hampered global biomedical research”.
“Privacy and social good don’t have to be in conflict”
Dr Maurice Coyle, chief data officer at Truata, said that improper data collection practices could result in privacy issues once the pandemic has subsided.
“There’s been an understandable rush to use data and technology to manage the pandemic. There’s a couple of things we need to consider though when doing that,” he said.
“There’s undoubted social good in preventing the spread and saving lives using data and technology. We have to consider that there are privacy and ethical considerations at play. For one, the pandemic will pass, so any data or analytics programs that have been made available, if there are not adequate safeguards in place then they represent future privacy risk even from a regulatory point of view.”
He explained that privacy and social good are not necessarily a zero-sum game, and ensuring ethical and privacy-related considerations are upheld can actually improve the quality of datasets.
“Privacy and social good don’t have to be in conflict with each other if effective privacy and data protection by design is used. Really importantly if privacy and ethical considerations are made in advance it can actually improve the value and the ability of these analytics and these data programs to effect change,” he said.
“For a start it’s well-recognised that if data is being collected and processed in a way that’s both ethical and has privacy at its heart then these programmes will be accepted by the public. You get greater buy-in and quite often you’ll find that as a result the data is much richer. It’s also quite interesting to note that when you’re talking about machine learning in particular there’s a lot of prediction going on with regards to data available. Machine learning can actually be improved by considering privacy and ethical implications upfront. It turns out that the machine learning models that have the most privacy risk are typically ones that are over-fit. The ones that have individual decision paths related to individual people, they’re the ones that contain most reidentification risk.
“It’s really important that we don’t forget the science part. Data science has rigorous methodologies that should be used and you can’t ignore them, you can’t necessarily fast-track them even in the face of a global pandemic because if you do that the results and the outputs that are produced could result in social harm because you could cause panic, you could give a false sense of security so I think really being sure to knuckle down and approach these things mindfully is very important as well.”