Personal data is a complicated asset for many businesses but is becoming more pervasive in the modern business world. Personal data obtained by businesses relating to their customers or employees is an extremely valuable asset and is used to market a business, make informed decisions and policies and reach certain conclusions. While the data is extremely valuable it also carries substantial risk to both the customer and employee as well as the business that uses the data. Given this substantial risk, there has been an increase in regulations including:
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- European Union’s General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
As governments and companies are hurrying to put an end to the current pandemic, they are continuously leveraging the use of personal data in their pursuit of a cure. While these regulations are meant to protect the personal data, there are also stipulations that allow for the suspension of the rights within the regulations. The European Union is suspending GDPR and loosening restrictions on the processing of what the law calls “special categories” of personal information including health data. The GDPR allows the processing of these special categories of data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. Certain European countries including France, Germany and Italy have offered blanket permission regarding the use of personal health data to combat the pandemic, and other countries continue to provide guidance on the use and transmission of this personal data. GDPR’s Article 9 authorization of suspension in times of crisis also addresses how long personal data can be stored and where and who has access to it.
Within the United States, the Department of Health and Human Services has provided multiple scenarios where data can be shared and utilized without patient consent to serve public health interests. While the change in restriction is completely understandable given the current pandemic, the need to protect an individual’s privacy should continue to be of utmost importance and the sharing of information should continue to be restricted to legitimate needs.
Awareness is required to ensure that businesses abide by the various data protection regulations and reapply the mandatory data protections when the crisis passes. As individual businesses evaluate risks and look to make decisions regarding COVID-19 and their employee’s personal data, below is a list of items that should be on a businesses’ checklist regarding personal data.
- Do not reveal the identities of individuals or provide information that could identify individuals who are under investigation for exposure to COVID-19.
- Be prudent in sharing the latest CDC information, with employees, regarding prevention and efforts by government and businesses in limiting exposure of people to COVID-19.
- Assess your businesses’ third-party relationships, including business and strategic partners, which might involve the transfer, sharing or release of employee data.
- Ensure proper authentication and authorization controls are in place regarding the access of sensitive information.
- As others may believe your attention is solely focused on pandemic issues, continue with security efforts to monitor networks and access for anomalies or risks.
Regulations are still attempting to fine tune data privacy, determining the balance between extracting value from personal data and protecting the source of such data. As governments across the globe manage the COVID-19 outbreak, there will eventually be case law generated which will provide future context regarding where and when to protect personal data, and where and when to leverage it.
You’ll need to get creative, but you can do it. We’re here to help. For more information and resources on COVID-19, see our coronavirus page. Feel free to contact your Henry+Horne tax adviser with any questions.
Kevin Bach, CPA, CVA