Dear, privacy pros.
As we put a most unusual year behind us, it seems appropriate to look back and consider the lasting impact the COVID-19 crisis is likely to have on privacy.
For one, I suspect that even as Big Tech companies find their ability to amass massive amounts of personal data increasingly curtailed, whether through regulatory or technical measures, governments may need to collect more information or more types of information from their citizens to minimize the impact of the current pandemic or avert the next looming disaster.
The need to impose strict safeguards around the use of such information came under the spotlight in Singapore, after Minister of State for Home Affairs Desmond Tan revealed that contact-tracing data collected under the TraceTogether system could be used in criminal investigations. While it is certainly not unusual for the police to have powers to seize such information under existing provisions in the Criminal Procedure Code, and similar (perhaps even more) data can potentially be obtained through other sources, like telecommunication service providers, the way the entire episode unfolded does seem to undermine earlier assurances from the government that TraceTogether data would only be used for contact tracing.
At the end of the day, while this incident may point to a communications or public relations failure more than anything else, I believe the real lesson here is that a proper balancing of the right of an individual to privacy and countervailing public interest needs to be undertaken at the start of every project, in line with rules on privacy by design and privacy impact assessments established by the Personal Data Protection Commission. The fact that the TraceTogether privacy notice had to be updated in light of the recent revelations to provide greater clarity on how the information may be used suggests that this may not have been done.
If the government's objective is to encourage the highest possible take-up of the TraceTogether system, and concerns about the police having access to the data collected could prejudice the take-up rate, then a decision should have been made then about whether such data should be exempted from the CPC. If the decision is that such information should not be so exempted, individuals should be notified and can make an informed choice accordingly.
Of course, the government can always make it mandatory for individuals to give up information, and making checking via TraceTogether compulsory for entry into certain types of premises may, in fact, achieve that effect. Again, I would have no objections if the "greater good" can be proven, but it would be preferable for this to be made clear at the outset.
The other major shift that COVID-19 has brought about is a sea change in what the workplace looks like for a lot of people. While it is too early to conclude if telecommuting (perhaps not even from home) will become a permanent feature for a significant part of the population, it is clear that employers will need tools to ensure that employees working remotely remain productive and engaged, and such tools would likely impinge upon the privacy of the employees. I believe the tension created when employers need to monitor employees in the private space of their homes is another space to watch closely.
For a more detailed retrospective, I could do no better than recommend The Privacy Advisor podcast episode 18 Dec. in which IAPP Editorial Director Jedidiah Bracy, Vice President and Chief Knowledge Officer Omer Tene, and Research Director Caitlin Fennessy got together to discuss privacy in 2020 and what's ahead in 2021.
More crystal-ball gazing will take place during the IAPP's upcoming Data Privacy Day LinkedIn Live session hosted by our President and CEO J. Trevor Hughes. A wonderful panel of thought leaders has been assembled for this event, including Kate Colleary, Dirceu Santa Rosa and Daimhin Warner, IAPP country leaders from Ireland, Brazil and New Zealand, respectively, as well as Dominique Shelton Leipzig from Perkins Coie.
Finally, while you are there, you may also wish to sign up for the upcoming "Profiles in Privacy" session between Trevor and FIFA Head of Data Protection Jorge Oliveira.
With that, I wish you a great year ahead and happy reading!
If you want to comment on this post, you need to login.