One of these days we’ll be allowed back to the office. Some of us might even come in. Eventually – don’t laugh – we might get back to normal.
Except that in the interim, we’ve adopted a new normal. One where it’s OK to track people’s movements using their phone data; to roll out fitness tracking apps; to ask people to self-report their health status every day; to backtrack through all of this to trace their contacts, then leverage their address books to get hold of those people; to share medical information with colleagues and strangers. And so on and so on and so on.
Re-adopting privacy principles
Back in the dark ages BC – Before Covid – we privacy professionals would have been hopping mad, shouting about Article 9 Conditions for Processing, and the ineligibility of employee consent, and the rights and freedoms of the data subject. And so on and so on and so on.
We must remember to do so again. The invasion of privacy, mainly but not exclusively by government, that has happened against the background of the Coronavirus pandemic is without precedent in peacetime democracies but the laws that protect that privacy have not been repealed. Once the pandemic has passed into history, regulators – and more importantly data subjects – will start to care again, and we must not allow our employers and clients to be caught short.
Cleaning-up exercises will need to go deep and wide
Data collected to help protect employees and customers during the pandemic must be deleted – or at least anonymised if there is sufficient scientific interest in its value. Apps developed to help track staff must be retired; organisations must resist the temptation to repurpose them in a completely unjustifiable extension of processing. IM and cyber teams must be persuaded to withdraw or at least constrain tentacles of security they have extended into employees’ personal devices to protect corporate data while staff were working from home. Access to data must be reviewed, and sweeping extensions of authorisations that were extended to allow skeleton staff working and to protect continuity must be revoked.
We will be busy.
Privacy rights are there for a reason
We have an opportunity to plan our approach now. We have an obligation to keep track of what is being done, and by whom, even if we think it’s appropriate – or at least tolerable – under the circumstances. And we must be firm when we do return to normal. The principles we live by are good ones, and should not lightly be surrendered.