Enterprise cybersecurity technology research that connects the dots.

Amid a pandemic, Data Privacy Day this year brings forth expanded responsibilities for organizations in the response to COVID-19.

Maxine Holt, Research Director, Omdia

January 28, 2021

3 Min Read

One year ago, Data Privacy Day 2020 showed nothing more than a glimpse on the horizon of the pandemic to come.

However, this year's Data Privacy Day -- today, 28 January -- brings more widespread responsibility to ensure that the data held by public and private sector organizations alike is treated with respect, in line with relevant regulations.

While there is always more personally identifiable information (PII) than ever for enterprises to protect, this is particularly true in 2021 with the inclusion of data held by government organizations engaged in the fight against COVID-19.

Maintaining data privacy is no easy matter: the footprint of information within and beyond an organization's boundaries can make it difficult to get a handle on what data resides where, and how it is used. Yet control of the information footprint is essential to provide the appropriate protection.

Data privacy has quickly become an essential component of government responses to COVID-19. The World Health Organization (WHO) recognizes this, and released a joint statement in November 2020 about the "use of data and technology in the COVID-19 response in a way that respects the right to privacy and other human rights and promotes economic and social development."

The statement recognizes that PII and other data plays a key role in helping limit the spread of COVID-19. It also points out that if the data is used for purposes not directly/specifically related to the pandemic response, it could lead to the infringement of human rights and freedoms. The lawful requirements for the use and processing of data relating to pandemic response is highlighted, as is the importance of destruction or deletion of data.

Countries enacting either mandatory or voluntary approaches to "track-and-trace" the spread of infection must be abundantly clear about how data will be used if they hope to effectively address significant data privacy concerns, as well as keep to the spirit of the WHO joint statement. This is not only a government issue; private-sector organizations will frequently be involved in this effort, and all must protect this data.

An appropriate paradigm to apply to today's data protection efforts may be zero trust. It is a concept that has been around for a decade or so in the security world, specifically intended to remove the concept of trust from information systems protection.

A data protection policy that defines how an individual or system can accept, process, store, monetize, and otherwise manage data should be transparent, e.g. a clear statement that law enforcement agencies cannot use any COVID-19-related data, or that the data won't be sold to a health insurance company.

Furthermore, the data must be destroyed at an appropriate point in time; details of contacts of individuals who have tested positive for COVID-19 are highly unlikely to be required three months after the contact occurred. Retention of such data might be allowed under some regulations, but it is not in the spirit of the WHO joint statement, and indeed unlikely to be what individuals would desire or expect to happen.

This Data Privacy Day is a perfect opportunity for every organization to take stock of the growing need for due diligence in regard to data protection policy.

Omdia's annual report on Data Privacy Day covers responsibilities for dealing with data as part of the pandemic response, as well as the data privacy elements of ransomware, AI models, and deepfakes.

About the Author(s)

Maxine Holt

Research Director, Omdia

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong understanding of the Office of the CISO, the security challenges CISOs face, and how organizations can look to overcome these challenges.
 
Before rejoining Omdia (as Ovum) in 2018, Maxine spent over two years at the Information Security Forum (ISF) developing research in areas including Protecting the Crown Jewels and Securing Collaboration Platforms. Prior to the ISF, Maxine spent 15 years at Ovum covering topics including security, human capital management, and identity and access management. Maxine has a particular interest in how all the component parts of security combine to make up an organization's security posture. She focuses specifically on the Office of the CISO.
 
Maxine started her career as a software developer in the financial services industry. She gradually progressed into a systems analyst role and then moved into consulting for the financial services and Internet sectors. Maxine is a regular speaker at events and writes a monthly Computer Weekly article covering various aspects of information security.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights