Over the past nearly two years, the Network for Public Health Law’s COVID-19 Data Sharing and Privacy Program has provided COVID-19-related data privacy assistance to more than 100 tribal, state and local public health departments throughout the U.S. and developed guidance accessed by countless others.

In Germany, b.yond’s Corporate Digital Responsibility program has helped companies implement digital ethics as they adapt to complex privacy laws worldwide as well as advances in digital solutions and products, offering effective solutions that enhance trust between a company and its data subjects.

For their unique privacy and data protection services in the private and public sectors, the Network and b.yond’s initiatives received the 2021 HPE-IAPP Privacy Innovation Awards, for the Americas and EMEA/APAC regions, respectively. The Privacy Innovation Award is meant to distinguish operations that integrate privacy and elevate its value as a competitive differentiator and a centerpiece of trust.

The Network will be highlighted during a KnowledgeNet event at 3 p.m. ET Jan. 26, while b.yond will be celebrated on a date and time to be determined.

“We’re very excited, and especially excited to make public health and public health’s collection, use and disclosure of data visible to sectors of health care, media, and others who may not think about public health data,” Director of the Network for Public Health Law’s Mid-States Region Office Denise Chrysler said.

Upon learning b.yond’s Corporate Digital Responsibility program received the award, Tobias Neufeld, CIPP/E, CIPM, partner at international law firm ARQIS, said the team “totally freaked out.” b.yond is a joint venture between ARQIS and the Witten/Herdecke University’s Institute for Digital Transformation in Healthcare.

“It’s so exciting,” he said. “If you look at the network and the know-how the IAPP is pushing, it’s so huge.”

Improving public health, while protecting privacy

When the COVID-19 pandemic began unfolding in February and March of 2020, Chrysler said the Network began receiving questions from local health departments, health care providers, media and others on the collection, use and dissemination of data and complying with various data protection laws, including the Health Insurance Portability and Accountability Act.

So the organization’s privacy team — made up of six attorneys with expertise in public health and data protection laws — shifted its focus to the COVID-19 Data Sharing and Privacy Program, assisting public health agencies with unprecedented pandemic privacy-related questions, and ensuring their access to information necessary to quickly respond to emerging issues while protecting individuals’ privacy.

Information was made publicly available through the organization’s website, including nine guidance documents developed to help public health agencies in their response, like a COVID-19 and Health Data Privacy FAQ covering topics from HIPAA waivers to reporting data to public health authorities. The group also held webinars on topics including data sharing for public health surveillance, investigation and intervention.

“When the pandemic hit, we were all in place because that’s what we’ve done since 2010. The questions came much more quickly, and they were even more difficult than ever because of the strong emphasis we have in the health care sector and in the public health sector on the protection of privacy and the definition of identifiability,” Chrysler said. “Airing on the side of protecting privacy where something might lead to identification can be really challenging when you need to also be transparent and push data out not only to the health sector but to the public more generally and to community leaders who need to make decisions.”

In crafting guidance, Chrysler said the Network looks at “all the different ethical, practical, feasibility and mitigation factors in making a decision.” They also have a three-step process that considers whether an action is legal, mandated or “should” be done.

“So, a lot of our responses often would be, ‘Let’s go through what the law says and then the factors you may want to consider and weigh,’” she said.

The biggest challenge for the team, Chrysler said, has been that answers, particularly during a worldwide pandemic, are not often easy and the crisis shined a light on privacy and data in a different way.

“Initially in the pandemic it seemed that controlling the disease was the highest priority. As the pandemic has gone on, it seems some people have had a greater sensitivity to whether government should be having access to identifiable information even for public health purposes,” Chrysler said. “If public health doesn’t have the necessary data, including data that’s identifiable, public health just can’t do its job.”

A ‘catalogue of ethical boundaries and obligations’

With data privacy laws in place and emerging around the world, a growing awareness and curiosity about data use among digital users, and other advances in the digital space, it’s not enough for companies today to focus on protecting personal data and regulatory compliance, Neufeld said. Through corporate digital responsibility, they can take those efforts to the next level, building an important trusted relationship with consumers.

“There’s something beyond just privacy compliance, and that goes back to trusting systems, trusting algorithms,” Neufeld said. “In the past two or three years, people are less and less willing to just give their data to an organization. There’s a growing sense of ownership, my data, my rights, data sovereignty. Corporate digital responsibility is in place for that.”

b.yond’s Corporate Digital Responsibility program — run by a team of professionals each with more than 20 years’ experience in health care, privacy and ethics — advises on a company’s digital ethics, corporate digital responsibility and works with the organization to create a program that can be implemented. The team helps companies define their digital values, assess current risks, and establish a board of digital ethics to oversee the organization’s corporate digital responsibility, as well as a code of digital ethics which Neufeld called their “foundation.”

“It’s typically a three-step project we undertake with them. First, we define what digital values you want to look at and form the basis of your program. We call that the code of digital ethics, it’s like your foundation. We have a basis of typically five to 10 digital values, then you operationalize that by doing a risk assessment. Third, you need to properly design a governance system with policies and procedures your organization plays by,” he said. “Every step of the process is being looked at by us. Any danger or risk for digital values, we find. At the end of the day, you have a risk assessment in writing telling you where you have risk issues.”

Neufeld called the result a “catalogue of ethical boundaries and obligations.”

The HPE-IAPP Privacy Innovation Awards are judged by a panel of voluntary privacy experts who represent a variety of industries, sectors and geographies. Judges called b.yond’s Corporate Digital Responsibility program “a practical and efficient solution for businesses,” with one saying corporate digital responsibility could be “one of the leading concepts in the privacy field in the future (or currently).”

Another judge said organizations are understanding their duty to society and using corporate digital responsibility they can “keep the data safe and also will manage the due diligence in an effective way.” 

Photo by Jason Leung on Unsplash