Beannachtaí ó Bhaile Átha Cliath — Greetings from Dublin!
Every conversation these days seems to start with a comment that it’s such a strange world in which we are living. It sure is. As with our colleagues worldwide, many of us in Ireland are working from home under some form of quarantine to avoid COVID-19. This new way of working has resulted in many questions being asked of privacy professionals: From the practical, how do we meet our security requirements when our team is working from home? to the esoteric, how should privacy be protected and data protection managed in the middle of a pandemic?
On the practical side of things, the Irish DPC issued guidance notes to help organizations manage their data protection obligations in this extremely difficult time. The most recent document is guidance on videoconferencing, no doubt reflecting the exponential increase in the use of video conferencing apps. The guidance is practical and helpful, particularly for smaller organizations. The DPC also announced it is working with other European regulators to discuss widely publicized concerns about the Zoom app.
The DPC has also issued guidance on “protecting personal data when working remotely” and “guidance for data controllers on security.”
These three guidance documents can help organizations manage the data protection challenges of remote working. They include a reminder that organizations must have clear and up-to-date policies around data security and devices. From my experience, the DPC usually asks clients to provide copies of policies with details of how they were communicated and whether staff was trained on them. So, it may be useful for organizations to take time to review their policies to ensure that they are current, and if not, to update them. It would also be a good time to have staff trained. This can be achieved by live remote training sessions using a (secure!) video conferencing facility.
From the practical questions to the esoteric ... Headlines scream “pandemic defense versus privacy rights” as if we are in a war between two opposing factions, rather than the real question: How do we protect people during a pandemic? How do we protect physical well-being as well as privacy rights? It needn’t be an either/or. Nor should organizations be leveraging this emergency to roll out technologies that could have huge impacts on privacy rights without first considering how to best integrate data protection. This should be the golden age of the GDPR that is designed around the balancing of rights. Concepts such as privacy by design and data protection impact assessments are ideally suited to help assess how best to use new technologies for good while also safeguarding privacy rights.
The EDPB has adopted a letter concerning the European Commission's draft guidance on apps supporting the fight against the COVID-19 pandemic. Andrea Jelinek, chair of the EDPB, said, “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”
It’s a tough time right now. Medical professionals are asked to make impossible decisions daily. As privacy professionals, we must remember that potential technological solutions to help manage this pandemic must embrace privacy and data protection concepts so that we end up with solutions that recognize human rights — of life and privacy. As a wise philosopher* said, “with great power comes great responsibility.” That power increases exponentially in an emergency like this and so does the responsibility.
*Uncle Ben from Spiderman.