Data and privacy implications in a COVID-19 world
There is no question data privacy and security are essential. From a commercial perspective, a single company – and no, not just Amazon – may possess the personal information of millions of customers. It is increasingly important this data be kept private and secure, so each customer’s identity stays protected and the company’s reputation, untarnished.
So, what is data privacy?
In functional terms, data privacy – also known as information privacy is concerned with how data is collected, shared and used.
More specifically:
- Whether or how data is shared with third parties;
- How data is legally collected or stored; and
- The regulatory restrictions that apply to it.
Data privacy is, quite simply, one of the most important assets a company has. With the rise of the data economy, companies now find enormous value in collecting, sharing and using data. As many know, companies such as Google, Facebook, and Amazon have all built empires on top of the data economy.
Transparency in how businesses request consent, abide by their privacy policies, and manage the data that they’ve collected, however, is vital to building trust and accountability with customers and partners who expect privacy.
Data privacy v data security
For clarity, and before we examine data privacy and security as part of the COVID-19 world, it’s important to make the distinction between data privacy and data security – as they are often confused with one another.
Data security is essentially the process of protecting files, databases, and accounts on a network. This is typically done by adopting a set of controls, applications, and techniques that identify the relative importance of different data.
So, to put a clear distinction between the two:
- Data privacy governs how data is collected, shared and used.
- Data securityprotects data from compromise by external attackers and malicious insiders.
Covid-19: Data privacy and security considerations
We open this by noting the information below is general in nature and as COVID-19 is currently a moving beast, it should not be considered definitive in any way.
There has been much written and indeed, speculated upon, since COVID-19 effectively made the world come to a grinding halt.
For our purposes, privacy and data security obligations have and continue to change in Australia in relation to the outbreak.
Importantly, Commonwealth government agencies and the private sector are still obliged to comply with their obligations under the Privacy Act 1988 (Cth) in relation to any health information or other personal information collected relating to COVID-19.
This noted, there is still much confusion around COVID-19 in relation to what information (data and security of data), can be collected, disclosed and what practical issues need to be kept in mind.
Let’s consider a few circumstances:
Q: Can government agencies and organisations use and disclose information about COVID-19 symptoms and if they can, what steps do they need to take?
A: While a complex matter, government agencies and organisations should still seek specific advice for their circumstances and their concerns. This includes how to notify at risk individuals – for example, those that have been in contact with an employee or customer that has been exposed to or infected by COVID-19.
Q: What are some practical issues to be considered when disclosing information about an individual’s COVID-19 symptoms?
A: In the first instance, you should consider the extent to which it is necessary to identify those that may have COVID-19 symptoms – both inside and outside the organisation. So, it may not be appropriate to send an Australia-wide email when you only need to inform those that work in the same vicinity – for example, the same building. From a data security point of view, keeping comprehensive and secure records of all meetings attendees would be a wise move!
Q: Have privacy regulators provided any specific guidance on privacy issues related to COVID-19?
A: At the time of writing, the Office of the Australian Information Commissioner (OAIC), has recommended Commonwealth Government agencies and private sector employees should aim to limit the collection, use and disclosure of personal information about their employees to what is necessary to limit and manage the COVID-19 outbreak. Regarding data security, to take reasonable steps to keep personal information secure.
As the COVID-19 station continues to change, we encourage you to talk to us about your legal position regarding data privacy and data security. If you or someone you know wants more information or needs help or advice, please contact on 1300 149 140 or email ch@lawbase.com.au.