The crisis brought on by the COVID-19 pandemic has raised many important societal issues. Privacy is one such issue. Information is an essential tool in combating an epidemic, and this includes information about individuals. If public health officials can educate and isolate people with an infectious disease, they might prevent many more infections and save lives. But how invasive should this information gathering be, what are the risks, and how do we mitigate those risks? Here are some issues related to privacy and COVID-19.
1. Contact Tracing
There has been a great deal of coverage in the press recently about contact tracing, but what exactly is it? Contact tracing involves tracking the contacts an infected person has had and reaching those persons to inform and support them. The idea is to reach the people who had contact quickly enough for them to quarantine, stopping the chain of transmission so one infection does not become many.
These outreaches are made by contact tracers who are trained in information about the disease, effective communication (including active listening), and privacy. Because it involves health information, contact tracing activity in the United States is covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Contact tracers must respect confidentiality.
Procedures must be in place to ensure privacy and security. This includes ensuring network and device security, avoiding being overheard conducting interviews, and securing computer screens and handwritten notes.
To learn more about contact tracing, take the contact tracing course from Purdue Global.
2. Digital Contact Tracing
Contact tracing can be greatly enhanced with the use of applications (apps) on smartphones. Smartphones can track whether you have been in contact with someone exhibiting symptoms if that person is also using a compatible app. This is an impressive way to leverage technology, but it is important to build in privacy in a way that protects the information from abuse.
The concept of designing a process, program, or product with privacy in mind from the outset is known as Privacy by Design (PbD). One way to help assure privacy is to make both the use of such apps and the reporting of symptoms voluntary. This focuses the system less on surveillance and more on voluntary participation. Also, information can be locked down and inaccessible except when a report is made. This reduces the risk that the tracking information would be accessed for purposes other than public health, such as law enforcement or revenue generation.
User control and transparency is key to protecting privacy. Norway halted their use of the contact tracing app Smittestopp due to privacy concerns when it was discovered that the app was uploading people's live location information to a central server. Google and Apple, by contrast, have a decentralized system in which the information is stored on the individual’s device and the user must consent to notify the phones of people with whom they may have had contact. The tech companies would not know the identity of persons notifying others.
Governments can use surveillance technologies to track movements of populations as well as specific individuals, depending on local laws. Tracking people through their phones can demonstrate whether populations in certain areas are social distancing or not. Maps can be created to show the density of people within approximately six feet of each other. This can be used to show the necessity of stronger incentives for people to social distance, to highlight the effectiveness of current measures, or to predict likely increases or decreases in infection.
When tracking particular individuals, phones can be used to determine who someone has had contact with and whether that person is complying with a quarantine order. Facial recognition technology can also track an individual’s movements to some degree. Likewise, body temperature monitors in public places can measure whether a person is running a fever and may be infected.
Surveillance naturally raises privacy concerns. One way to address these concerns is to retain and report only anonymized data in the aggregate. In other words, data regarding individuals’ locations would be combined with those of large numbers of other people, and their identities would not be disclosed. Because the data would generally be gathered by corporations, they should assure that identities are not shared with government agencies. Use of facial recognition and temperature scanners can be problematic if the individuals are identified. This associates an individual with an infectious disease based on minimal information.
People with an infection deserve as much privacy as we can afford them, as do people suspected of infection who have not had their cases confirmed. Israel’s use of its anti-terrorism system to track individuals suspected of infection has naturally caused concern and was halted in June pending further legislation. China is making extensive use of surveillance, which raises serious privacy concerns beyond the immediate crisis.
Employers are faced with balancing employee privacy with the safety of other employees and customers. Certainly, if the employer knows individuals have potentially been exposed, the employers should notify them. It would be improper to identify the individual who is infected or displaying symptoms, but it may be hard to hide their identity in a small organization. This makes it important to educate employees as a whole on the importance of respecting each other’s privacy. Also, the employer should, if possible, obtain the employee’s consent for disclosure first.
Employers in the United States do not have the benefit of a comprehensive privacy law such on the General Data Protection Regulation (GDPR) in Europe, so they must be aware of their state’s laws as well as federal laws such as the Family Medical Leave Act (FMLA) and the Americans with Disability Act (ADA).
As you can imagine, cybercriminals wasted no time taking advantage of the novel coronavirus outbreak. Everything from counterfeit personal protective equipment (PPE) and COVID-19 tests to fake cures and COVID-themed phishing emails have surfaced during the pandemic. Consumers should take extra care with verifying the reliability of products and information, particularly during times of national crisis. Consumers who are contacted unexpectedly should not click any links or open any attachments in email or text messages. Even if the communications appear authentic, do an internet search for the official site of the company or agency rather than click on links. Call to verify any unusual requests.
Tracking Privacy and COVID-19 is Key
Balancing the need to protect privacy and slow the spread of the virus is critical. People need to be vigilant about their private information. Users and employers need to be informed about the risks to privacy posed by the coronavirus and the steps that can be taken, as well as knowing what organizations are doing to protect privacy.
Learn More About Privacy Issues and the Law
If you want to learn more about privacy issues and health care, Purdue Global Law School offers an Executive Juris Doctor (EJD) with specialized degree tracks health law and law and technology. The EJD degree is designed for those who wish to develop legal expertise but do not intend to become a practicing attorney.
Single law school courses in topics such as health law, medical malpractice, cyber law, and cybersecurity law are also available. If you wish to become an attorney licensed in California, consider our online Juris Doctor program.
You can also request more information today.