Greetings, fellow privacy professionals.
With all that is going on in the region regarding COVID-19, I thought I would touch on the impact it has on our individual security and privacy. COVID-19 has kicked off one of the largest global business continuity experiments for organizations of all shapes and sizes, including the government. A lot of focus has been on whether it is “business as usual” when employees work from home and has exposed some issues with organizations' capabilities to support this. As more employees work from home, security awareness should not be forgotten, and companies should ensure they have best practice guidelines in place for remote workers, including using multifactor authentication, strong passwords and VPN use, especially in public places.
On the privacy side, there has been a lot in the news regarding tracking individuals and their COVID-19 status through various social media and mobile apps. In South Korea, users can track their proximity to a patient who has COVID-19, the date they were diagnosed, recent travel history, gender, age and nationality. In China, provinces and cities with a combined population of more than 358 million have announced they are adding facial-recognition and phone-data tracking, in addition to a host of monitoring tools already in place. And Beijing has joined a national initiative that assigns color-coded QR codes to residents that determines if they need to be quarantined. The initiative has been adopted in more than 100 cities across the country within a week.
There are numerous debates on the privacy and ethics of using these apps and the subsequent implications that may occur if the user is given an inaccurate rating. There will also be implementation challenges for companies to adopt these apps at such scale and in a short period of time. Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong weighed in on the discussion: “There are sufficient legal and justifiable bases, whether under international law or local health-specific and personal data privacy legislation, on which the government may collect and use information obtainable offline or online with the aid of devices, applications, software or supercomputers with a view to tracking potential COVID-19 carriers or patients in the interests of both the individuals concerned and the public, not to mention the fact that the same approach has been adopted in many other jurisdictions.” With big tech giants backing such initiatives, it will be interesting to see what happens in the coming weeks and months and to gauge the public’s reaction. It will also be interesting to see the response in other countries if or when they try to adopt similar monitoring systems with COVID-19 tracking.
On a different note, and elsewhere in the region, the Office of the Australian Information Commissioner published a statistical report regarding their Notifiable Data Breach requirement. The report noted an increase in breaches notified under the scheme; malicious or criminal attacks remain the leading cause of data breaches, and health and finance are the highest reporting sectors.
This is the first time such a report has been released since the NDB went live, and new Director-General of the Australian Signals Directorate John Frewan says Australian businesses need to start treating cybersecurity with the same importance as other key functions, like financial performance, audits and risk.
Finally, we are hosting our first virtual IAPP HK Chapter KnowledgeNET Tuesday, 17 March, and HK IAPP members can register here. We plan to cover topics such as COVID-19, along with other regional updates, and will be hosted by myself and fellow co-chairs. We hope to have Commissioner Wong in attendance, so please register for this IAPP member-only session!
Keep safe; keep secure.
If you want to comment on this post, you need to login.