What's On

The Acting Privacy Commissioner Mr Tony Lam (pictured) was interviewed by the International Association of Privacy Professionals (IAPP) in relation to a joint IAPP-EY research project on COVID-19.  He shared his thoughts on the implications of COVID-19 on privacy practices, priorities, challenges and consumers’ trust. 
 
“The COVID-19 virus does not care who you are and where you live.”
 
Mr Lam discussed the top privacy challenges stemming from COVID-19, including the possible excessive collection of sensitive personal data (e.g. health data), when and how personal data might be disclosed and transferred, the security and uncertain retention period of personal data, how data would be processed post-pandemic, etc. During the pandemic, what needs to be known to contain the spread of the virus is one thing, but it is quite another to indiscriminately disclose data to those who want to know.  Therefore, the PCPD does not consider disclosing names or the exact addresses of those infected persons would be useful to fight the virus. “After all, the COVID-19 virus does not care who you are and where you live.” Mr Lam said.
 
The pandemic impacts not only health data but also data in daily activities such as classroom teaching and meetings via video conferencing tools, work-from-home arrangements and the like. The "new norm" is changing the modus operandi in every facet of our lives.
 
In the face of the growing collection of sensitive personal data by private entities, Mr Lam outlined a series of practical tips and advisories issued by the PCPD to monitor compliance and address privacy concerns, emphasising the principles of necessity, appropriateness and proportionality, and advocating permanent destruction of data once the purpose of collection is spent.
 
Mr Lam also suggested organisations maintain transparency and explainability amidst the increase in data processing in order to build trust with customers and employees. Nowadays, instead of looking up to authorities with trust, individuals are increasingly skeptical of authorities. Hence organisations should therefore explain the rationale with clear privacy notices, policies, and practices. Mission creep should be avoided.  Organisations should also take an ethical approach in data processing, respect data subjects and be fair to them to create mutual benefits.
 
"Without data, nothing can be done.  Without trust, nothing can happen."
 
Mr Lam said that enabling trust was essential to protect privacy and enable efforts to combat the pandemic or similar threats in future. Mr Lam said, “Without data, nothing can be done.  Without trust, nothing can happen.”  Looking ahead especially beyond the post-pandemic, Mr Lam shared that privacy enforcement authorities would play three roles in one, namely regulator, enabler, and protector. He believed that over matters of widespread and significant privacy concern, stakeholders would expect the data protection authorities to come out earlier, be firmer and clearer, and offer concrete advisories reasonably and proportionately. Last but not least, privacy-by-design would be increasingly important and the efficacy of data collection as well as how data would be used and destroyed would be a crucial subject post-pandemic.