The unprecedented spread of the COVID-19 coronavirus has alarmed policymakers and healthcare professionals alike. The rate at which infections continue to spike and the fact that most cases appear to be asymptomatic makes efforts to control the outbreak much more difficult as compared to other diseases. Certain mitigation efforts taken by governments around the world, including the development and dissemination of contact tracing technology, have called into question how those efforts are affected by privacy laws and the extent to which individual expectations of privacy should be tempered in the face of a global pandemic.
There have been significant expressions of concern, both at the government level and by consumers themselves, about the apparent unavailability of certain crucial data about the spread of COVID-19. Information such as where a patient sought treatment, who they came in contact with, and where they live is invaluable for its potential to help other citizens protect themselves and to aid healthcare organizations and governments in managing the spread of the disease. How much should the public be allowed to know about others who may be infected, though?
In many cases, public health officials have control over what COVID-related information is released to the public. Much of this reporting has been kept to a minimum, listing cases in the broadest demographic terms. A more granular release of data may help individual citizens take their own precautions, but it also exposes potentially vulnerable populations to justifiable concerns about their privacy. Moreover, some of that COVID-related information is already considered protected by existing data privacy laws such as those covered by HIPAA, although HIPAA does include provisions for the release of data in the event of an emergency.
An apt comparison regarding the battle between public health and safety concerns and privacy considerations is the 2001 PATRIOT Act. One of the most significant consequences of the PATRIOT Act was the empowerment of the U.S. federal government to access private communications of American citizens; that access continues to this day. As governments consider possible methods of collecting data as part of their efforts to stem the spread of COVID-19, any new legislation should consider the scope, nature and timeline of the data collected and released to avoid risks such as civil liberties falling by the wayside as a result.
Any new laws governing the collection and dissemination of personal data should be made with transparency in mind. With individuals being forced to make sacrifices in the name of public safety, trouble can arise if they feel as though they’re being misled in some way about the potential threat of COVID-19. For example, of late, large gatherings across the country have sprung up in protest of business closures, stay-at-home orders, and related social distancing measures even as the number of cases in the U.S. and abroad continues to climb. And with states starting to consider, and now even phase in, end-of-lockdown measures, it’s even more important for them to find appropriate but protective channels of data collection that allow for the ongoing monitoring of the spread of the disease.
While it’s not too late for the U.S to implement systematic measures to collect and responsibly disseminate information relevant to managing the spread of the coronavirus, and although U.S.-based companies like Apple and Google have devoted significant resources to the development and refinement of technology that they have indicated will anonymously collect smartphone user location data for contact tracing purposes, the U.S. appears to be a bit behind the curve. Other countries have already released anonymous information regarding COVID-19 cases to help educate the public on infection patterns in moves that would not appear to necessarily infringe on individuals’ rights. There is certainly a fine line for U.S. legislators to walk, but swift and transparent action can help quell public concerns about the epidemic and allow researchers to get a better understanding of its spread. What is clear is that real anonymization of personal data is a key to walking that line. If personal tracking and location data relating to the spread of COVID-19 can be used in a truly anonymized manner to assist with curbing that spread without the risk of the data being deanonymized and users identified, and the further risk of that deanonymized information being sold, used for other purposes, or in a worst-case scenario, hacked and stolen, then it would seem by all means that should happen given the toll the virus has taken on virtually every country in the world. It remains to be seen, though, whether true anonymization can and will be implemented.