Privacy and Pandemics: A Thoughtful Discussion

As the COVID-19 virus spreads, governments, researchers, and healthcare institutions are seeking to obtain and deploy consumer data to track the spread of the virus, deliver emergency supplies, target travel restrictions and quarantines, and develop vaccines and cures. But can data collected from phones, credit cards, and other sources be used in this emergency without opening the door to lasting or limitless surveillance?

Yesterday, FPF convened a Virtual Workshop with a dozen ethicists, academics, government officials, and corporate leaders, and over 100 corporate attendees, to discuss responsible data sharing in times of crisis. It’s the first in a series of events about privacy and pandemics that FPF will use to develop best practices and policy recommendations for decision makers.

Participants discussed how recent “data for good” initiatives have informed data sharing during the crisis, concerns about data sharing in a time of low trust, lessons learned from past pandemics, how to effectively protect privacy and civil liberties, and what the COVID-19 pandemic means for the future of data sharing between companies, academics, and governments. 

A more detailed workshop report is forthcoming, but in the interest of urgency we share the most important advice that arose in the Workshop for companies with data that could be of value to public health:

• Understand how your own data sets relate to the needs of health experts. Any data set should be just one input into a broader epidemiological model. Some sets are not large enough, accurate enough, or relevant enough to be useful. Several participants warned that sharing flawed data or treating one data set as a “silver bullet” can lead decision-makers astray. Instead, companies should be sure to understand both the best ways that their data can be used and the risks associated with sharing their specific data. It is essential to work with medical and public health partners to understand their data needs, rather than merely provide analysis based on data collected for commercial uses.

• Continue to follow your guidelines for data protection during the crisis, and recognize that your standards for sharing have not changed. Participants agreed that data protection principles should not be abandoned because there is a crisis, but pointed out that the standards for prioritizing review of projects have changed because of pandemic-driven urgency. Many companies regularly face smaller scale emergency requests for data.  Some companies have established expedited processes to quickly elevate exigent data-sharing decisions to the highest levels. 

• Establish clear boundaries. History tells us that it is difficult to discontinue practices started in an emergency. In the absence of clear systemic rules, organizations should establish an exit strategy up front to protect against continued “emergency” practices after the crisis. Companies must be clear that data shared now should not be kept forever or used for other purposes; clear rules help maintain and build public trust in their programs. 

• Use data protection safeguards, such as anonymization and aggregating data. These are established techniques, but there is no standard definition about what they mean, and much skepticism about the ability to guarantee anonymization.  Companies should explain how they use techniques in specific situations. While data is being shared during this emergency, organizations must continue to follow principles such as data minimization, proportionality and destroying data after it is transferred or used.

• Work with a partner that has controls in place. Companies with established data for good programs have been working with partners to ensure data sets are appropriate, anonymized, and aggregated as much as possible. Participants expressed that working through existing arrangements is preferable to developing new partnerships in the midst of a crisis. For example, many university research groups have already data sharing agreements in place which have been vetted by Institutional Review Boards. These groups could act as a trusted partner between companies and public agencies.

• Be transparent. To maintain public trust, companies need to clearly explain what data is being shared, with whom, and for what purpose. 

The Workshop’s participants agreed that it would be better if more companies, non-profits, governments, and academics had been working collaboratively on the technical infrastructure, governance structures, and legal frameworks for data sharing in an emergency before the COVID-19 pandemic hit. 

Some participants recommended ways to strengthen the “data for good” ecosystem over time, including standing up new trust structures. One participant recommended strengthening the “data enablers” in the system, such as institutional or ethical review boards, which can serve as checks on ill-advised data sharing and also facilitate connecting data sources – often, companies that have data with socially beneficial uses – with data users, like researchers and policymakers. 

Participants also agreed that data protection and humanitarian action are completely compatible. While the trade-offs for decisions about sharing data have changed, there still should be a thoughtful and legally justified process for considering what data to share, with whom, for what purposes, and how it should be protected.

Many more insights and details were gathered and will inform FPF’s ongoing work with stakeholders to identify best practices and policy recommendations for decision makers.