Why Businesses Need to Do Privacy Impact Assessments for COVID-19 Solutions
September 15, 2020
While it’s important to prove to your employees that your company is protecting their privacy rights — especially if you’re collecting their personal health data to protect the entire company from exposure to COVID-19 — it’s equally as important to demonstrate compliance with data protection laws to state and federal regulators.
“Employers want to maintain their businesses [during the pandemic], but they can’t do that without their employees,” Jodi Daniels, a privacy law expert and practitioner, explained in a recent Q&A. “They need to think about their people first. Employees want to earn a paycheck, but they also want to make sure their data isn’t being misused.”
One way that companies can create a safe workplace and prove they’re protecting employees’ personal data is to conduct a privacy impact assessment (PIA) for any vendors they’ve contracted to assist with COVID-19 recovery efforts. This can include everything from contact tracing apps to daily health monitoring technologies to any other solution provider.
What’s a Privacy Impact Assessment?
Privacy impact assessments analyze how an organization collects, uses, shares, and maintains individuals’ personally identifiable information (PII). The organization will use PIAs to review their own processes or processes of the vendors they work with. Then they will determine how these processes affect or compromise the privacy of individuals whose data it holds, collects, or processes.
Benefits of conducting a PIA, according to the International Association of Privacy Professionals, include that it:
- Provides a way to detect privacy problems, build safeguards before investment, and helps fix privacy problems sooner than later
- Avoids costly or embarrassing privacy mistakes
- Provides evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation)
- Enhances informed decision-making
- Helps the organization gain the public’s trust and confidence
- Demonstrates to employees, contractors, customers, and citizens that the organization takes privacy seriously
The Importance of PIAs for COVID-19 Vendors
In a recent report, PwC outlined some inherent privacy risks associated with common techniques to maintain a healthy, safe workplace environment. These include:
- Disproportionate data collection: Contact tracing apps require employees to constantly carry their mobile devices — even when they’re not at work — in order to be most effective, potentially expanding geolocation collection of all apps on the phone, and resulting in disruptive false-positive notifications and causing new quarantines
- Oversharing of personal data: Temperature check queues at office entrances can stigmatize employees to others nearby if their temperatures are elevated and they are asked to leave
PwC also offered the following guidance for businesses to help mitigate the privacy impact of health passports, temperature checks, and contact tracing:
- Disproportionate data collection: Different versions of app-based contact tracing can result in processing more data than is needed for the intended purpose of notifying affected individuals
- Data minimization: Provide discreet areas with private exits for temperature checks and minimize the storage of personal data related to temperature checks and health monitoring
- Consent: Seek employee buy-in for device-based contact tracing
Many companies are not able to manage health monitoring and contact tracing initiatives themselves and are either evaluating or actively onboarding new technology solutions that can offer support in these areas.
Privacy experts believe in the importance of conducting PIAs before engaging any new vendors to ensure they live up to the companies’ privacy standards and won’t put the company at risk of a data breach or privacy violation. This is especially true for COVID-19 technology solutions that may have legitimate abilities to sidestep privacy regulations in the current environment.
Privacy During a Pandemic
As companies start implementing new technologies to help them quickly stabilize during the COVID-19 crisis, it’s easy for them to justify shrugging off the due diligence necessary to fully vet a solution for privacy bugs, but shortcuts are not recommended.
Conducting a PIA before hiring a technology solutions provider to support your return to work strategy is recommended and can be done both efficiently and cost-effectively. The primary reason to do this during a pandemic is that it can help companies avoid working with vendors that have only just begun working in this space, don’t practice good security hygiene, and/or are not adequately protecting personal health data.
While the urge to prioritize speed in the current environment is tempting, it’s more important to consider your companies’ future and evaluate vendors based on whether their data protection practices would result in breaches and privacy violations which can have long-lasting effects beyond the pandemic, leading to long-term financial strife and distrust among employees and customers.
For example, Evident’s software is a leader in incorporating privacy-by-design principles, such as minimum disclosure and consent, into its solutions. A good PIA methodology can help confirm a strong privacy and security posture as well as identify opportunities for further improvement.
Join us for a free webinar on Thursday, September 17, and learn more from co-presenters David Thomas, Evident Founder and CEO, and Hilary Wandall, TrustArc SVP of Privacy and General Counsel, about the current privacy regulation landscape, privacy best practices, and why protecting employees’ personal data is of utmost concern during a pandemic.