Privacy & Information Security Law Blog

On April 14, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published an article entitled “COVID-19 Meets Privacy: A Case Study for Accountability” (the “Article”).

The response to the COVID-19 pandemic has seen increased use and sharing of data in both the public and private sectors. For instance, to anticipate the coronavirus’ spread and peak, to test new medications, understand social interactions, and to track and verify that quarantine and social distancing measures are observed. Such new uses have brought into sharp focus public concern over the right to privacy. They also have stirred debate on whether our fundamental right to life must trump privacy rights. CIPL’s new Article shines a light on how organizational accountability can serve as a mechanism to bridge the dual imperatives of privacy and innovative data use.

The Article lays out 12 basic accountability measures that organizations of all types, including companies, governments, research and academic institutions, can agree on and implement immediately to address data privacy concerns and enable responsible collection, use and sharing of personal data in the fight against COVID-19. It also highlights how constructive engagement between regulators and organizations is especially crucial in the current COVID-19 climate where new and unforeseen uses of data are becoming essential for protecting the public.

The 12 accountability measures include:

1. Clearly defining and documenting purposes of data use;
2. Ensuring data processing is a proportionate response to the desired objectives;
3. Conducting privacy impact assessments;
4. Providing transparency to individuals;
5. Ensuring robust security;
6. Adhering to storage and use limitation principles;
7. Clarifying roles and responsibilities of staff, contractors and third parties, and providing appropriate training;
8. Defining rights, obligations and specific controls through data sharing agreements and protocols;
9. Verifying the implementation of accountability measures through assessments and audits;
10. Ensuring internal top management and chief privacy officer oversight, as well as, external validation via data/ethics advisory councils or data review boards, where appropriate;
11. Constructively engaging with regulators and seeking feedback on new data projects; and
12. Ensuring privacy-by-design through technical measures such as differential privacy, anonymization and federated learning.

We all are engaged in the same battle against the coronavirus. Data and technology has armed us with new and effective resources against the virus’ destructive potential. We must use them to the fullest. In times of danger, individual privacy cannot trump our social responsibility towards others. Nor should the common good have to trump privacy. Accountability enables us to enjoy both.

To read about the accountability measures above in more detail, view the full Article.