At this time of national crisis, it’s only natural for businesses to focus on their survival, and on their customers’ and employees’ health. It’s not only natural, it’s the right thing to do.
But it’s not the only thing to do. Even in a crisis – perhaps most importantly in a crisis – it’s essential that we continue to respect each other, and try to protect the rights that are part of the fabric of our society. We all want to do our part to get through this difficult time. We will get through it, and when we come out the other side it’s also only natural that we will be judged on what we did.
Governments and, unforgivably, supervisory authorities (yes, @ICONews, I’m talking about you) are behaving as though privacy can just be switched off for the duration. Yet we all know that once shared data can never be unshared. We’re building vast databases of sensitive personal data including health and location, and we’re doing it in a rush, with limited oversight and few, if any, safeguards.
Please, if you’re involved in any of these initiatives, whether as an employer, a healthcare professional, a privacy specialist or a data scientist, try to think about the possible long term harm you could be causing as you try for short-term good.
Collect only the data you need
As privacy professionals, we see two major privacy risks arising from this crisis. Firstly over-collection and over-processing of health and location information, especially about employees. Do whatever you think necessary to protect your staff and your customers, but take care that you also do only what is actually necessary.
Don’t name people unless you have to. Don’t store information unless you have to. Don’t collect detailed medical information – leave that to the health professionals. Above all, don’t share information unless you have to.
The other is data breach. I’ll talk more about this in a future blog post, but for now just remember that you – and every other business – have triggered your business continuity plans at unprecedented scale and very short notice.
Your staff are working from home, on domestic internet connections shared with their families, often using their own computers. You’ve inevitably lost control and oversight of your perimeter and your network. Most of your company’s work, and so most of its confidential data, is now being processed on systems with far less security than before and by people under enormous emotional stress.
Caring about your staff is caring about data
Talk to your staff. Ask them to think twice about incoming emails with urgent Coronavirus instructions or promises of government money. Ask them to consider what data they download, and where they keep it, and who else in their family can see it. Tell them not to print out personal data.
Reassure them that you’d rather they took longer to do their work and avoided a data breach. Make sure they have a reliable source of advice and guidance.
As far as we can, we all need to try to carry on with business as usual. It won’t be business as usual, of course, but anything we can all do to keep the wheels turning will soften the inevitable blow. But while we do this, we have to remember that the harm from data breaches and data misuse is real – people’s personal and financial lives have changed, not stopped – and we must be sure to do our bit to protect them while the healthcare systems do their part to protect their nations as a whole.