Not Taking the Nearest Exit: Hogan Lovells’ COVID-19 exit strategy

July 13, 2020

3 min read

Sign up to our mailing list! 👇

What's going on here?

Aside from its obvious health ramifications, the COVID-19 pandemic has serious privacy implications for individuals. Hogan Lovells has published an advisory paper noting that both privacy and cybersecurity are part of the solution to this crisis.

What does this mean?

Current COVID-19 preventative measures include temperature screenings, contact tracing apps and clinical tests. These measures involve the collection and processing of personal health data. Amidst the pandemic however, organisations are rushing to implement COVID-19 preventative measures, neglecting to properly ensure data protection is achieved. Hogan Lovells addresses these concerns in its report and has concluded that public health and privacy are actually not in conflict. 

Different jurisdictions have issued their own guidelines in respect of the collection and processing of “COVID-19” data; this includes the travel history, personal health information, name, address and temperature information of individuals. While consent is usually required for the collection and processing of such data, Hogan Lovells has identified exceptions to this. The firm notes that public interest (an issue concerning the broader population) and legitimate interests (an issue legitimate to that party’s specific circumstances) are two legal bases to this exception, provided by the GDPR. Additionally, when collecting personal data of employees, businesses are encouraged to comply with the transparency principle, which provides that information is accessible for anyone to understand the purpose of data collection. Embedding privacy considerations into the development of contact tracing apps will also allow for transparency, purpose minisation (which states data should only be processed for its stated purpose), and data storage limitations. 

Furthermore, Hogan Lovells focuses on the normalising of remote working, which in turn increases the threat of cybersecurity attacks. The report highlights the importance of policies governing remote working arrangements to include training on how to report cybersecurity threats and continue business operations in a safe manner. This includes encrypting company-issued devices and providing staff with unique access credentials. Further, with the adoption of cloud services for work from home arrangements, organisations must be careful in reviewing data processing agreements to reduce legal, operational and reputational risks. The firm warns organisations to pay attention to whether cloud service providers offer safeguards complying with data security obligations. 

These data security concerns also apply to clinical trials looking for a vaccine to COVID-19. The privacy of patients and trial subjects should not be disregarded. However, consent to process personal data may not be required if legitimate interest and public interest, two lawful grounds to processing data, are satisfied.

What's the big picture effect?

COVID-19 preventative measures highlight the need for data security in the fight against this pandemic. The report notes that organisations will need to assess the impact of work from home arrangements and implement safety measures accordingly. New technologies adopted, from cloud services to video conferencing software, may lead to the acceleration of digitisation projects. Therefore, activities related to data protection compliance and cloud projects will need to be integrated with COVID-19 exit strategies. They advise organisations to consider how these services and measures will fit into the wider business strategy and governance programme. 

Businesses, including law firms, should take note of the data protection and privacy concerns addressed in this report. In the implementation of a COVID-19 exit strategy,  the significance of data protection and safeguards against cybersecurity threats cannot be understated. To protect themselves from future litigation brought forward by individuals and investigations initiated by regulatory authorities, it is advised that organisations should continue to monitor guidelines at a national and local level to ensure that COVID-19 measures are taken accordingly.

Report written by Robyn Ma

Share this now!

Check out our recent reports!