Privacy and a Return to Normal Part 3: We Will Trust Because We Must
This is the third and final part of a blog post series exploring privacy concerns about COVID-19-related contact tracing.
Here’s what it will look like when we embrace contact tracing.
We’ll show up at work like normal and likely be greeted by a short line. As a condition of our entry into the building, our well-being will be asked about and our temperatures taken.
Then, 99% of us will continue on to the new normal.
We won’t have experienced a great national debate about privacy.
We won’t have experienced a sense of pride about helping to protect our community by voluntarily contributing our health data to science.
Instead, we’ll simply, passively comply with the collection of data by someone we already—well, mostly, sort of—trust: our employer.
We’ll do so for the same reason we sign the Acceptable Use agreements that enable our employers to track our every click and monitor every word we utter using our company-owned devices. We’ll do so because courts have ruled again and again that employers have the right to gather this kind of information.
We’ll participate in contact tracing because we must, if we want to come back to work in our pre-COVID office settings.
But we’ll also accept the sharing of health data and contact tracing at work because it’s one of the few places in our culture where we have meaningful conversations about security and privacy, and where we have reasonable belief that the entity with all the power—our employer—has our best interests at heart.
Contact Tracing Comes to Work...
The time to debate whether we’re ready to “return to work” seems to have passed.
Across the U.S. it’s happening, ready or not. To varying degrees across our country and across the world, we are returning to work (indeed, many never even left).
In many cases, with this return comes the scenario I described above. Either a representative of the company or a nurse checks our health status. (Hopefully they are following some of the excellent guidance provided in this infographic.)
A study conducted April 2020 by the International Association of Privacy Professionals (IAPP) and EY showed that “most employers are processing the health information of employees, such as asking employees about whether they have experienced any COVID-19 symptoms (58%), have done any personal traveling recently (53%), and whether any members of their household have experienced COVID-19 symptoms (35%).”
Nearly a quarter (23%) took employee temperatures. 60% of the companies surveyed collected records of whether employees were diagnosed with COVID-19.
...But Where's the Data Go?
One unresolved issue is what exactly is done with this data. Employees have grown used to employers holding and protecting their information in the form of tax data, health insurance records, etc.
But not sharing infection rate data defeats the larger social purpose of contact tracing, which benefits when this information is shared with healthcare professionals and researchers to increase understanding in the broadest possible context.
Put another way, what good is sharing your health data if it only directly protects your coworkers?
Building a Privacy Culture in our Conflicted Age
Join Tom Pendergast as he discusses the importance of a privacy culture in your organization and how a focused training and awareness program can help get you there.Register Via IAPP
Not Sharing is Not Caring?
It’s pretty clear, however, that most employers are NOT sharing this data more broadly.
The IAPP/EY study showed that only 19% of those gathering data shared it with anyone, with anyone presumably including local health authorities (the study does not specify).
An early hope of contact tracing utopians was that high adoption across a broad swath of society would help health officials manage widespread infection with positive impact on both health and the economy. But employers—rightfully cautious about the legal ramifications of sharing—seem to have kept this data largely to themselves.
Are American employees expressing their preference to trust employers above all others when it comes to contact tracing? We can’t really know; the rush to return to work meant that the employer’s front door was really the only place it could happen.
What may still unfold is a way to aggregate employer-gathered data to support the public good—but it’s too soon to say whether this will work.
There’s Money in Collecting COVID-19 Information, Though No Law to Protect It
One thing is obvious about employers taking on health monitoring: it’s feeding the growth of a robust market for new tech tools to solve the problem of collecting health data in the workplace. IDC analyst Laura Becker told CNBC that the market for “digital contact tracing for companies could be worth billions … as companies re-open offices and look for ways to assure employees it’s safe [to return to work.]”
Whether it’s a temperature self-check kiosk located at the front door (Janus, by Truyo), sensors that monitor and report on the distribution of people in your office (VergeSense), apps that allow self-reporting and tracking, or systems that integrate data gathered from contact tracing data directly into pretty dashboards in your CRM, tech companies big and small are bringing tools to market to serve the needs of employers who recognize the only way back to profitability is to get people back to work.
“What remains to be seen,” notes James Temple in the MIT Technology Review, “is how workers themselves respond when employers direct them to take tests, disclose symptoms, don masks, wear dongles, and work under the watchful eye of sensors monitoring their temperature or proximity to colleagues.”
“Certainly many will see these measures as necessary and temporary trade-offs to protect their health, as well as that of their coworkers and community,” continues Temple. “But grumbling and protests over the civil liberties burdens imposed by stay-at-home orders suggests that plenty of others won’t.”
Another unknown? Whether new laws will emerge to regulate what appears to be an unprecedented level of data gathering and possibly surveillance.
As yet, this soon-to-be massive collection of truly sensitive personal health information has occurred without the protection of a federal privacy law, despite renewed debate and renewed hope that such a law could provide the protections that privacy advocates crave.
Training and Awareness Can Build Trust
I’ve come to believe that situating the health monitoring associated with COVID-19 taking place in the workplace is a good thing.
After all, the modern workplace—which increasingly finds itself either motivated to or required to comply with privacy and cybersecurity best practices—is one of the places where we SHOULD BE and ARE having real conversations about the critically important issues associated with contact tracing. In fact, those issues are the meat and potatoes of a good privacy awareness program.
In organizations with a healthy privacy training and awareness initiative, there is ample communication about the importance of data minimization, access controls, transparency, and the application of appropriate security measures.
Because employees have learned that control over their personal information is theirs to control, employees likely feel comfortable asking real questions about who has access to their data and how it’s being used. They likely keep a close eye on what technical solutions get deployed (many of the ones I mention above are vigorous in their application of privacy protection).
As I’ve watched the debate over contact tracing and privacy unfold over the last several months, I hoped there might be a more general public debate about privacy protections. A part of me even believed this might push along the changes of a federal privacy law. (I’m not holding my breath there.)
But I do think that we’ll continue to explore the challenging social and cultural issues associated with privacy and security in our workplaces, and that those of us involved in awareness and training can make a meaningful contribution to shaping that debate.