It is the best of times, it is the worst of times. When it comes to the ability of companies and other organizations to access and use our data, the classic Dickens tale comes to mind—especially as winter settles in while cases of COVID-19 surge across the country and governments once again face difficult decisions about how to respond.
Consider contact tracing. A survey KPMG commissioned in May found that while nearly all Canadians (92 per cent) feel digital contact tracing apps must balance privacy concerns with public safety, the majority (60 per cent) would actually sacrifice their privacy if it helped stop COVID-19. In other words: Canadians care deeply about their privacy and civil liberties, but they also care enough about each other that public health supersedes privacy in a national emergency.
But that doesn't mean they think the use of contact tracing apps should be made mandatory. On this, Canadians are more clearly divided, with less than half (45 per cent) of respondents to our survey saying government should require individual Canadians to use their smartphones to anonymously share their COVID-19 status and 55 per cent saying this should be voluntary. Fully two thirds of respondents said they would not download such an app, calling it still "too invasive."
Canadians understand contact-tracing apps can be effective if participation is high: nearly three in five (57 per cent) of us don't believe digital contact tracing would be effective unless it is mandatory. But if they are ever to garner sufficiently high and therefore effective participation, the design of such apps must limit threats to privacy – and be used only for the stated purpose. While the majority of Canadians are willing to sacrifice some privacy to help stamp out this pandemic, few are willing to grant government free rein to track everything in their phones.
Government, in short, must be completely transparent on how contact tracing data will be collected, stored, erased, and managed. This will be especially important in the COVID-19 vaccine rollout, which will be one of the largest and most complex health initiatives in Canadian history. If that data is to be shared, now or in the future, the circumstances should be crystal clear. Policies should be implemented and enforced to prevent misuse and/or abuse of the data and to assure the public that principles of accountability and data minimization are being respected.
The key is how organizations use the data they are entrusted with. Contextual use of data should put institutional responsibility and ethics ahead of short-term gain, and respect what I'll call the "two privacies"—the individual's right to control their own data and, more importantly, understand how it is used and shared.
Sounds simple and pragmatic, doesn't it? That's because it is.
But not everyone has been getting this right. So, how can organizations—especially the government, especially now—avoid ending up in a "creepy data use" story? There are some clear actions they can take.
- Put individuals at the heart of privacy strategy. This means making people fully aware of the kinds of personal information held and how it will be used, with transparency and accountability as guiding principles.
- Understand that data is an asset and a liability. Liability in this case isn't just about penalties but also loss of trust as well as reputational damage resulting from a breach or unethical data use.
- Don't rush into major technology investments. Before considering which solutions to invest in, the basics must be in place—starting with strong privacy and data governance.
- Prepare for questions – with real answers. Reputational damage can be immense, and a growing community of journalists and other stakeholders are eager to ask difficult questions about data collection and use. In our social-media-saturated world, reputations and brand value can be destroyed seemingly overnight. So be media-ready at all times, with senior, credible, privacy-aware spokespeople ready to field all inquiries in good faith.
Above the law
These issues speak to core cultural values and the kind of society we want to live in. And all of it is predicated on trust. How much loss of confidence can we endure? Who's responsible for restoring the confidence we've lost? How do we restore it?
It comes down to context: ethical parameters around data collection and use must be in place and those parameters must be plainly transparent to the individuals whose data is at issue. And even if it's not enough to know that this is simply the right thing to do, it's also good for business—whether for-profit or affairs of state. Ensuring that individuals have both choice and control over what is done with their data is the single most important thing companies and the government alike can do to build—and maintain—trust.
After all, at this point, there's no getting away from the data revolution.
There's only getting it right.