Scientists, politicians, tech firms…organisations everywhere are joining forces to combat the Covid-19 Pandemic around the world. Funds are being released in a seemingly endless nature and the majority of the world’s population is being asked to stay home, lockdown and self-isolate. But how has this impacted GDPR and digital marketing?

It’s completely unprecedented and unlike any other global crisis we have dealt with in our modern, digital era. So, what does this mean for data? Data governance and data protection are key guides to how our tech responses navigate through the unchartered territory that is this Pandemic. Under usual circumstances, it is data privacy law that guides how and when organisations can contact people.

Well what about GDPR now? Do Data Protection laws go lax during a pandemic?

With specialist units being set up across the country, and between five to ten different incidents of privacy violations online being tackled daily, we wonder how GDPR is managing data protection during such an unparalleled time. 

The UK government has announced that it’s cracking down on misinformation being spread about Coronavirus online. In a recent article, the government noted that specialist units are operating to combat misinformation about coronavirus and five to ten incidents are being identified and tackled each day. 

This includes phishing emails being sent asking for personal details and payment for police “fines” for going outside during lockdown. The question is, as a result of the overload, how many GDPR violations will also be taking place? Or perhaps more of a concern, have the appropriate government bodies and the NHS been able to reach people when they needed to?

The Information Commissioner’s Office has released the following statement in support of digital outreach during the Coronavirus Pandemic: 

“Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.” – ICO

We all can appreciate that the above does mean that the appropriate government bodies will be able to reach people regardless of the GDPR restrictions. Yet, it’s slightly unnerving for many people who will see this as a lax on the law – for example, could private health firms use this argument? Although they are not in the public sector, might we see a time when private sector firms are acting within the best interest of the public sector?

Letting go of data privacy and GDPR for health support

An example of this comes from the US. California has only recently implemented it’s CCPA data governance law in January. However, details of the law are still being finalised. Last week, 33 different organisations approached the State of California to delay the implementation of the CCPA data law as the pandemic is such a shock to every area of the economy. The implementation of this law is causing an overwhelming concern from businesses about the sustainability of such strict data governance rolling out during this crisis. 

Who cares about relaxing this law for a few months in the face of a global pandemic? Well, interestingly, we all should. Tech giant, Google and its sister company, Verily, have launched a new Coronavirus testing capability in the state of California. The process is fairly straightforward: The site runs users through a series of screening questions via the company’s Project Baseline health data collection platform. Depending on if the system deems them eligible, they’re allowed to make an appointment for a much-coveted coronavirus test.

What’s the catch? Well in order to use the screening tool, users must have a Google account. And they must agree to a number of data privacy clauses. Ultimately users are exchanging their health information for a potentially life-saving test. Who would say no? Should we be worried? Whether you should or shouldn’t be worried, you are officially sharing your personal data with Google, Verily and anyone else you’ve agreed can know about you. Google is effectively forcing you to share data for a test that you may or may not need. 

Data governance becomes data coercion. And in this case, it’s also extremely experimental. Rolled out with very little testing, we are unsure how successful the Verily system will be. As Foreign Policy magazine putis it, ‘The coronavirus pandemic may—if tech companies and surveillance-curious governments get their way—extend this type of tech-driven experimentation to just about everyone.’

Getting back to normal: Looking beyond the Pandemic

Of course, any type of government-approved surveillance program, however well-intentioned, raises serious questions. For most of us the question is: how is our sensitive data being used? And how do we go back to not providing it after the pandemic is over? 

If these were ordinary circumstances, data protection laws such as GDPR and CCPA would protect people from data governance violations. And one would hope that these laws are still in practice for most organisations. Taking our private health data and exposing it to private companies, even in the interest of public health, is a source of concern because these records hold significant commercial value ( 

Only time will tell how our data is used beyond this pandemic. There are simply no rules on how the current situation will pan out as it’s so unprecedented. But data protection must be protected. We should hold the government accountable as to how it’s planning on using data, who will ultimately have access to our health information and for how long. We will see the end of this pandemic crisis. The questions will remain around data governance. We should continue to question information required during the pandemic and challenge it’s usage in the days, months and years to come. 

Here are five ways you can manage your own personal data and cultivate data during the pandemic:

  1. This is not a time to panic – the law exists for a reason. Use the guidance outlined by the ICO to determine your eligibility for collecting information (from a business perspective) and be diligent with your own. 
  2. Health information is sensitive data:  Ask yourself why are you are collecting it and for how long you will require it. Be transparent in your privacy policy and terms and conditions.  
  3. Keep your information accurate. Data quality is absolutely king during a time such as this. Work with a third-party to ensure data quality is maintained, especially if you are scaling data requests globally.
  4. Delete what you don’t need. This isn’t a time to hoard information. If you can’t justify why you are collecting it, just don’t.
  5. Does this mean that I can’t collect information about coronavirus to help guide my business through the crisis? Not at all, just be sure to use these tips to make sure you are in keeping with the law. 

Ultimately businesses should have the correct policies in place for collecting data. Data governance may be flexing slightly in the face of this global pandemic but as businesses, we can do everything we can to ensure we are supporting laws and applying the necessary compliance. Only time will tell if other businesses and government bodies are maintaining data integrity in the same fashion.

Get in touch with if you have specific queries about data collection and data governance. 

Useful Tip: If you are planning on collecting data as a result of Covid-19, The UK Information Commissioner’s Office (“ICO”), has also reported its own FAQs for handling personal information. 

Stay well during these unique and unparalleled times.

Comments are closed.