Personal data is a key weapon in the fight against Coronavirus, but only if it is used legally and ethically.
In the digital age, personal data is the lifeblood of businesses and the economy. It enables e-commerce, work transactions and learning to take place, beyond the limits of the physical environment. At the same time, individuals and consumers are zealously guarding their privacy and personal data. In the past decade, countries have been setting up legislation to protect personal data as part of business requirements, thus making it not only a business requirement but also a legal requirement. It is the minimum that individuals, consumers/stakeholders and even employees, expect from the organisation they transact with, work for or invest in.
For these reasons, data protection should be a top priority for any organisation. Availability of the data to employees who need it, the integrity of the data i.e keeping it correct and up-to-date, and the confidentiality of the data, offer assurance that it is available only to the people who are authorized to access it.
Impact of data protection laws
There are currently five ASEAN countries either tabling Data Protection bills or having passed laws on data protection. The total market population impacted by these legislations is not insignificant, numbering 468 million individuals or data subjects. Extending beyond ASEAN are two giants that are proposing or further refining data protection bills: India & China, with a total population of 2.7 billion. Many of these have indicated the laws will be comprehensive and have aligned their legislation with the EU General Data Protection Regulation.
With the COVID-19 situation, there has been an exponential increase in the use, and abuse, of personal data - personal data protection is fast becoming an ever more urgent and important aspect of business operations today. With technology and convenience, complacency may set in and any mistakes, especially in handling personal data, can be accentuated by technology. Why is this so? Because at each point of business operation, from collection to usage, to storage (retention) and disclosure or transfer of personal data, there are risks of unauthorised exposure or breach taking place.
Source: Data Protection Excellence Centre (DPEX), Straits Interactive
Graphically, we can see in the cycle of personal data utilisation that at various points, due considerations have to be given, especially in the context where there are laws and regulations specifying how the personal data should be treated and protected.
Source: Data Protection Excellence Centre (DPEX), Straits Interactive
Within the cycle and the various points of collection, usage (or processing), storage (or disposal) and disclosure (or transfer), there are regulations which the organisation need to adhere to.
Source: Data Protection Excellence Centre (DPEX), Straits Interactive
In collecting personal data, organisations need to ask - does the collected data fufill its purpose? Is it proportional? Is it excessive? The amount of personal data should be kept to what is the minimum necessary to fulfil the company's analytics needs.
Likewise, the collection should be consistent with what is the declared and specified purpose. The personal data should not be used for purposes other than what is defined by the organization.
Personal data is processed based on the organisation’s legitimate interest. The legal basis should be clearly identified and the data subjects aware of the processing. In the case of the COVID-19 pandemic, it seems to be an effective first line of defence to contain the spread of the disease and to minimise the harm to the physical health of the population at large. In this case, processing of personal data for surveillance and contact tracing would be a legitimate and public interest.
To what extent can government authorities require organisations such as telcos, Internet service providers and e-payment service providers to disclose the movement and location data of their customers? There has to be the right balance between serving the national and public interests in such a crisis situation and the privacy of individuals.
Under the present “lockdown” or “circuit breaker” (a term used in Singapore), employees have to work from home (WFH). Policies and procedures should be laid out for employees adapting to work from home arrangements. Employers need to keep the employee working from home, and monitored for what is relevant to the work being performed.
The risks of breaches and unauthorised exposure can be mitigated if the organisation invests time and resources in a data protection management programme. Using the “APSR” framework where the organisation invests in a Governance, there exists plans to Assess, Protect, Sustain (the data protection programme) and Respond.
Source: Data Protection Excellence Centre (DPEX), Straits Interactive
Some actions that need to be carried out in operationalising the APSR framework would include:
-
Getting the management to sponsor and setting up a data management working team. Acting on the following:
-
Data Protection Notices
-
Consent Clauses in Contracts/Forms
-
Consent Register
-
Procedure to withdraw consent/ unsubscribe
-
Third-Party Contracts
-
Data Sharing Agreements
-
Non-disclosure agreements
-
Queries, complaints and dispute resolution handling processes
-
Ensure a proper legal basis for processing, based on:
-
Confidentiality/ DPA in Employment Contracts
-
Acceptable Use Policy
-
Bring your Own Device Policy
-
Standard Operating Procedures (CUDS)
-
Procedure to check the accuracy
-
IT Policy
-
Info Security Policy
-
Retention Policy
The pandemic is but a catalyst for online transactions, work, and social interactions which accentuate the importance of privacy and personal data protection. If the untoward happens even with the risks reduced, these are evidence of measures taken by the organisation and are mitigating factors for the organisation.
