Balancing privacy and safety - Covid-19 in the workplace
As we try to reopen for business, large employers in particular are finding themselves with multiple workstreams trying to ensure worker safety in the context of the Covid-19 pandemic.
Many of these initiatives have significant implications for privacy and cyber-security and bring with them a greater than ever need for co-operation between business functions. It’s tempting to backburner privacy concerns in pursuit of rapid implementation. At this critical juncture employee concerns remain primarily around their own safety and that of their loved ones, and some regulators have explicitly relaxed their enforcement regimes. However, we believe that there are very good reasons to keep privacy very much in focus.
Privacy matters because people matter
Assuring workplace safety in response to the pandemic inevitably means collecting and processing health information; it may also include additional biometric data. This kind of information comes with stricter regulation because of the greater potential for harm to data subjects if it is breached or misused. Even if that strict regulation is presently subject to lax enforcement, the harm itself has not been reduced. One reason that this is so important when considering health and biometric information is that breaches are not retrievable: a password can be changed, but not fingerprints, faces or a chronic health condition.
Think long term
As with all healthcare, and all privacy, it is vital that employers continue to balance short- and longer-term risks to staff. While the overriding priority now is reducing the risk of infection from Covid-19 and, in consequence, increasing employee confidence in returning to work, the longer-term concern must be to avoid breaching or misusing sensitive data and, in consequence, jeopardising employee trust. Building and maintaining trust with all stakeholders is essential to sustainable growth.
A return to normal
While the new normal may well be quite different to what came before, we can nonetheless expect that regulators will once more take an interest in how organisations are using data, even where it was or continues to be part of their Covid-19 response. Failure to properly account for privacy now may be costly in the future. More importantly, employees, consumers and shareholders will once more turn their attention to governance and ethical concerns when the present crisis is over, and will be critical of enterprises that failed to find the right balance between safety and privacy.
An opportunity for change
Satyam Nadella of Microsoft said that we’ve seen two years of digital transformation in two months. As normal barriers to change fall before the pressing need to adapt to new restrictions and threats, this is our chance to show that privacy by design and default doesn’t need to be an obstacle or a hindrance. Using the same rapid innovation techniques that have worked so well in other areas, enterprises can build effective co-operation between functions and business units to make sure that privacy concerns are properly considered; they can also use the privacy doctrines of minimisation and necessity to ensure that the best and most cost-effective approaches are chosen to each challenge.
Community engagement: risk or reward?
Large employers have concomitant involvement with their local communities. Even in normal times this can involve extending internal services out into the wider community, but Covid-19 is supercharging these initiatives. As employers roll out their own contact tracing or virus testing facilities, it is only natural that there are internal and external pressures to open these capabilities up to a wider audience. On the one hand this offers enterprises an opportunity to do real good right at the heart of their local engagement; on the other hand it also significantly increases the regulatory and harm-from-breach risks by commingling employee and non-employee data in corporate platforms and processes.
Vigilance in a changing world
The world is changing at unparalleled speed, and enterprises need to match or exceed this speed in order to survive. Privacy must not be a blocker or a brake – it too must evolve and adapt so that people’s fundamental rights and freedoms can be protected alongside their health and safety. All of us must be vigilant to ensure that we do not trade short-term safety benefits for longer-term damage to trust and broader individual wellbeing.