Contact tracing is one of the most effective tools in a public health emergency. The COVID-19 pandemic has created the need for any contact tracing program to expand to nearly the entire population. Naturally, this creates clear potential for infringement on privacy and civil rights. Additionally, some countries have either national or regional laws forbidding this sort of data use. So is it possible to balance privacy concerns with measures necessary to limiting the damage done in the fight against COVID-19? The Hunton Andrews Kurth LLP Centre for Information Policy Leadership believes it’s possible, and posits that organizational accountability measures are the key to making it work.
The paper, entitled “Covid-19 Meets Privacy: A Case Study for Accountability” makes the case for a set of 12 organizational accountability principles that might guide both private and public bodies as they attempt to walk the difficult tightrope between individual rights and social safety concerns.
12 principles of organizational accountability
Hunton Andrews Kurth is a prominent global law firm with a particular presence in Washington DC. The firm’s Centre for Information Policy Leadership (CIPL) is an international think tank that has focused on data protection and privacy issues for over a decade.
CIPL’s latest white paper proposes that the COVID-19 pandemic presents a unique opportunity to apply and test principles of organizational accountability in both the public and private sectors. The concept has been circulating in corporate leadership circles for several years now; the basic idea is that organizations are most productive when they find the “sweet spot” of accountability, where the terms are neither too strict nor too lax. A proper accountability culture leaves employees and management feeling that the terms are fair and in the best interest of everyone involved, and that willing acceptance and positive attitude enhances the company’s overall function.
A similar balance must be found in terms of data use in the fight against COVID-19. It is established fact at this point that the more people believe in and voluntarily participate in contact tracing methods, the more effective they are. An authoritarian approach, or an overly strict culture, will meet with strong resistance and cause people to try to avoid participating or find ways around the program. However, a lax “country club” approach to social distancing threatens to create fresh waves of the virus in the future which could in turn prompt more burdensome extended lockdowns.
The paper proposes 12 principles that could guide individual organizations that might find themselves processing and using this wave of sensitive data. From a public health perspective, this helps the entire effort to successfully balance necessary data use with privacy concerns. Organizations benefit as well, creating their own internal case study demonstrating how an organizational accountability program can improve general operations.
The 12 organizational accountability principles the paper proposes are:
Clearly defined and documented purposes of data use
Privacy impact assessment
Transparency to individuals
Storage and use limitation
Roles, responsibilities and training
Data sharing agreements and protocols
Trust, but verify
Internal oversight and external validation
Regulatory engagement and validation
Privacy-by-design through technical measures
Principles of responsible data use
Some of these proposed data use principles dovetail with existing privacy laws, or with those expected to be adopted soon. For example, the “proportionality test” described here is essentially the GDPR’s existing data minimization principle. The “data sharing agreements and protocols” described here also reflect the recent focus on third-party vendor and supply chain security, something the Department of Defense has begun to take much more seriously as of late.
The principles also address some points of contention that have been raised in the development of early app-based solutions. For example, the “storage use and limitation” section calls for personal data to be removed once the necessary public health response to Covid-19 winds down. The EU’s guidance for app development calls for deletion of all personal and location data once the crisis is over, which is part of the conflict that the alliance has had with Apple and Google over their joint contact tracing efforts.
Ultimately, the key to a successful organizational accountability effort lies in a clear chain of responsibility that leads to a Chief Privacy Officer or some other definite figure in upper management. “Fuzziness” about who the cybersecurity and data privacy buck ultimately stops with has been a pernicious problem in all sorts of organizations long prior to Covid-19; while generally seen as an internal issue, in this case it is also key to inspiring public confidence.
CIPL proposes that these principles will ensure that organizations remain within their legal compliance requirements everywhere they operate, while also providing the general public with vital reassurance that it is safe to participate in these somewhat intensive data use programs. It also provides a potential “rapid response” framework to deploy in environments in which governments are still struggling to come up with relevant legislation. With these principles in place, organizations would certainly have a leg up on rolling out any data use measures as soon as local and federal governments give the green light. In the long run, organizational accountability might also support and improve other aspects of company operations.