COVID-19 pandemic opens up new frontiers for health data privacy
The COVID-19 pandemic has turned up the volume of the ongoing debate around health data privacy across Europe. New frontiers are opening up daily as the European Commission and individual member states seek ways to engage digital technology in their efforts to contain the spread of the virus while adhering to the requirements of GDPR and the region’s exacting ePrivacy regulations.
Ensuring personal privacy
Against a background of widespread urgency, some countries have forged ahead without waiting for international efforts to provide a framework for sharing health data for the public good while preserving the principles of personal privacy.
Publicly, eyebrows were raised in the European Data Protection Supervisor’s office by South Korea’s rapid roll-out of Corona 100m, a central tracking app that informs citizens when they are within 100 metres of known COVID-19 cases. Privately, there has been considerable admiration for the role the app has played in the country’s relatively successful containment strategy.
In Europe, Poland’s self-quarantine app – which requires anyone under a mandatory 14-day quarantine to upload a selfie, proving that they are at their designated address, whenever they are asked – has also provoked the debate. Theoretically, it is still an opt-in app. But its dependence on face recognition software and geo-location tags have privacy implications beyond the duration of the COVID-19 pandemic, particularly if the data is retained.
A more joined-up effort is promised by the imminent release of the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) toolkit – the code for apps that detect users close enough to infect each other by analysing Bluetooth signals between mobile phones.
For Petra Wilson, European program director at the Personal Connected Health Alliance, these fast moving developments are evidence of how the digital health community is finding new ways to exploit the benefits of sharing data within the context of legislation – and the importance of preserving public trust in the privacy of health data.
“We are working out how to strike a balance between what we need to do in the context of the management of a pandemic – which could mean rethinking an amount of privacy for the duration – and recognition by the individual of the value of sharing your data for that purpose, within your broader right to privacy,” she said.
'Data is the new fuel for our systems'
Within the context of a pandemic, the legal concept of proportionality and the ‘common good’ in using public health data to go beyond might be acceptable in ‘normal’ times has been emphasised by the European Commission – although the interpretation of these phrases can vary at a national level.
“What’s fascinating is that in the discussion around health data sharing, we are seeing the playing-out of a parallel with social distancing,” said Wilson. “It’s the same balance: personal protection versus the public good. If we all agree that data is the new fuel for our systems and structures, it becomes a major aspect of the common good.”
Wilson said that with the improvement of health care being a key driver for the European Commission’s strategy for data, there is now a modus operandi that allows the sharing of health data for the common good of Europe’s healthcare systems.
“The COVID-19 emergency means that some countries have moved more quickly to enact emergency laws, while others have relied on GDPR’s provision for the use of healthcare data in a crisis,” she said.
“Some of these have been snap responses but they are generally positive and will pave the way for people to come together and say that we need a proposition for taking things further in the future. Through this crisis we are really understanding the power of using data differently – and the challenge of balancing Fair Data with privacy.
“Post-virus, these experiences will help us to think more constructively about how health data can be used for the public good, while staying firmly committed to the respect of privacy and the importance of retaining trust in the security of our personal data.”