Data Rights and Data Protection during COVID-19
The global COVID-19 pandemic brought extraordinary disruption in every aspect of our lives. Still, the private and public sectors can come together to create new systems that can make the United States more resilient.
From digital contact tracing to mobile apps that track coronavirus symptoms, technology can help individuals, communities, and governments respond to the pandemic. But how is this information collected and stored? What’s made available to the public? How much is truly anonymous? What are your rights around this data?
In early 2019, the San Francisco Fed fintech team began engaging in research to understand the complexity of data as a policy area, so we have these questions, too.
We hope this work can help the U.S. navigate the use of data during the pandemic while offering considerations for potential systems of data rights and data protection in the future.
Using data to mitigate the spread
The most important aspect of the COVID-19 response is healthcare. Around the world, digital tools are being used to help this effort. In particular, many countries use mobile phones and mobile phone applications to gather data such as:
- Tracking people to monitor compliance with shelter-in-place and quarantine requirements.
- Performing digital contact tracing to determine who may have been exposed to an individual with the virus.
- Tracking health symptoms to identify new potential spikes in cases.
In addition to individual tracking, many public and private entities are compiling large databases of infected or exposed individuals. They capture all manner of data from confirmed cases to demographics.
The global data collection landscape
Countries such as Taiwan use government databases that connect health, immigration, and customs information with mobile phone tracking to alert authorities when someone breaks quarantine. Other countries, such as Israel and China, are repurposing existing intelligence and citizen surveillance infrastructure to identify exposed individuals and track the spread of the virus.
Globally, over thirty countries are deploying, or are considering deploying, cell phone and web-based applications to gather data to help fight COVID-19. The U.S. has public and private efforts similar to those in other countries. However, they tend to be less centralized, and more variable based on a patchwork of existing privacy laws. For example, several mobile advertising companies have begun sharing cell phone location data with local authorities to report on movement during shelter-in-place. (Data from telecom companies falls under stricter regulations so cannot be shared as easily.) Large U.S. tech companies are also helping governments develop mobile phone applications that can potentially notify individuals who may have been exposed to the virus.
Data anonymization and other challenges
Around the world, and especially in the U.S., new challenges come along with new methods of collecting and using data. Location data taken from cell phones and used to monitor shelter-in-place requirements are particularly difficult to anonymize. In other words, the information can trace back to specific individuals. Additionally, while these practices may prove beneficial and necessary, nobody is making a concerted effort to inform the public about these efforts or the related privacy and security practices. Nor has anyone sought widespread consent for this activity. There is also limited evidence that using location data to monitor proximity to infected individuals is as effective as traditional contact tracing. Finally, collecting health status information from individuals may not provide a full picture of infections in a given area if only a limited number of individuals participate. In the U.S., programs being set up to track health symptoms are voluntary, and most Americans say they would be unlikely to participate in this kind of data collection.
The U.S. is not alone in the challenge of participation. Other countries, such as Singapore, also struggle with uptake of tracing applications, with only about 20% of the population currently participating. Public health experts indicate that 40–60 percent of the population would need to take part for effectiveness.
Considerations for data collection
Challenges underscore many issues the SF Fed thinks about in our research. A fundamental question raised across the world is, what rights do individuals have relative to information about them? In situations like collecting location or health information in a pandemic, it may be useful to have a guiding data rights framework. It could help define which information individuals retain some form of autonomy over or rights around. It could also address situations where the greater public good may supersede individual choice.
Our work also delves into the challenges of anonymization and considers how to improve data protection overall. Like a framework for data rights, a complementary data protection framework can guide companies and public entities to keep information secure while still using it for the benefit of individuals and the broader public.
Information can help the world overcome the COVID-19 pandemic and prepare for the future. While we may not be able to design guiding frameworks for the use of data in the midst of this upheaval, there remain opportunities to give individuals choice and security today. Furthermore, we can learn from emerging data needs and challenges to build structures to guide the future. This brings up a few important questions:
- Where does increased data collection have the greatest opportunity to help?
The industry needs to do more work to determine which types of data are actually necessary and effective to help combat the COVID-19 crisis.
- Which entity/entities will be doing the actual data collection, and for what purpose?
Currently, the most critical consideration is if an entity has capacity to engage in activities immediately and securely. For the United States, that capacity rests mostly in the private sector. Further factors include data security and how data may be used beyond the crisis response. In the past, there has been a focus on public entities’ responsibility for data protection and conduct. But as capacity shifts, so has the conversation around responsibility.
- What rights will individuals have relative to data collected and used during the pandemic?
A core concept in our research is that individual control relative to data is important, but may also need to be balanced with other policy goals. This pandemic highlights tensions between individual agency and broader societal needs. An important distinction, though, is limiting choices in times of crisis. For instance, could individuals review data collected about them and take action—such as having data deleted—later, even if those options are not available today?
- How can data systems built for the crisis be monitored—and reconsidered—when it ends?
Data systems created to deal with the coronavirus pandemic do not necessarily need to define future U.S. data governance. Once the pandemic subsides, the country could learn from these efforts, while creating more permanent governance frameworks. Some companies already have voluntary data conduct guidelines for the pandemic. These standards, along with consistent security approaches, could be a starting point for future systems.
Data protection and data privacy may seem less important when lives are at risk. However, if data are used to help the U.S. weather the coronavirus pandemic we believe that individual data protection and choice are important considerations. Collectively we can learn from the benefits and challenges of data during this crisis while assembling guardrails and infrastructure that enable the country to respond more quickly and confidently in the future.
Read The Role of Individuals in the Data Ecosystem: Current debates and considerations for individual data protection and data rights in the U.S. for a more in-depth discussion of these issues. We are grateful for the opportunity to contribute to this dialogue and continuing to serve the public during this unprecedented time.
Kaitlin Asrow is a fintech policy advisor at the San Francisco Fed.
The views expressed here do not necessarily reflect the views of the management of the Federal Reserve Bank of San Francisco or of the Board of Governors of the Federal Reserve System.