Checking our instincts: We need to remain evidence-based and standards-driven in times of crisis

Five data governance rules to uphold in times of crisis

Written by Tom Orrell*

*This piece originally appeared in Medium.

Times of crisis require difficult trade-offs between competing public interests. In the present instance with Covid-2019 raging around the world, trade-offs between fundamental human rights — the right to freedom of assembly, to liberty, and in some instances to due process — have to be balanced against the urgent collective need of society and countries around the world to flatten the curve of the virus’s spread.

As the lines between the physical world and cyberspace have become ever more blurred in recent years, these public interest trade-offs now exist in cyberspace too. However, addressing major cyber, digital and data governance issues is enormously challenging — especially in times of crisis. What often distinguishes these cross-cutting policy areas from policy areas such as education or health, is that for every positive application of a digital technology or dataset, there is likely to be at least one potentially negative and harmful application too. Therefore, as a data governance professional, you are constantly forced to think about the potential harms of your work, even as you strive to do good.

Put crudely, communities of practice that work on digital and data public policy issues, within the sphere of sustainable development, and in humanitarian and emergency contexts, can be categorised into one of two camps. There are those who embrace digital innovation, tech-pioneerism and experimentation with new data sources and technologies with open arms. And then there are those whose instinct it is to prioritise the rights of the individual and collective societal freedoms above the prerogative to experiment with new technologies. On a good day, most professionals fall into a reasonable shade of grey between these two extremes, but in times of crisis, we tend to revert to our instinctive views.

In the context of the Covid-19 pandemic, these two camps have now assumed their positions. On the one hand, there are those who are pushing for greater public-private collaboration to help source data that can inform the response, including by promoting the use of potentially highly sensitive datasets or invasive surveillance technologies to improve efforts to contain and manage the pandemic or trace infected individuals. On the other hand, there are those who point to the dangers of experimenting with surveillance tech; not only the immediate risks to individuals’ privacy and data protection, but also broader dangers to society including the risk of normalising pervasive surveillance in everyday life and establishing ethically-dubious public-private data sharing partnerships with excessively intrusive powers as the norm.

Both camps’ intentions come from a good place. I know protagonists on both sides within my communities of practice and several are colleagues, clients and friends of mine. We are all trying to find ways of being as helpful as possible and offering up our knowledge and experience in ways that can help medical experts and frontline professionals in the current crisis: the scientific researchers looking for a vaccine, epidemiologists studying and modelling the pandemic, public health professionals working on guidelines and protocols, public officials making decisions that affect people’s socioeconomic conditions, and of course the brave doctors, nurses, carers and volunteers around the world who are putting themselves at risk to help others. We need to remember that whatever our positions on data innovation and digital rights, we are all trying to address the myriad public interests that are at stake in the current crisis.

For myself at least, I have had to work hard to check my instincts in recent days — full disclosure: my instinct is to worry more about the excesses of surveillance capitalism and dubious public-private partnerships than the risk of contracting Covid-19 — and focus on what I can do to help instead. To find answers, I’ve been thinking a lot about two key tenets of my professional life: being evidence-based and standards-driven.

To accompany this blog, and in an effort to constructively contribute my knowledge and experience, I have sketched out what I think are five evidence-based and standards-driven rules for responsible data governance in times of crisis (see below).

My hope is that government officials, and digital and data policy experts use these rules to help guide their data use during the current crisis. As they stand, the rules are far from perfect and there are experts with far more knowledge than me in this space. My hope is that with the help of others, this list might evolve into a common framework that may somehow help to bridge the gap between the two communities of practice in these difficult times.In the coming days, I hope to also work on a functional and accessible flowchart highlighting data governance considerations for public officials and other decision-makers in times of crisis. Stay tuned for more on that soon.

Five responsible data governance rules to uphold in times of crisis

1. In exceptional times of crisis, including during emergencies and pandemics, governments can sometimes legitimately invoke emergency powers. These powers can include the right to supersede the general principle that personal or sensitive personal data should only be processed with a data subject’s consent. To legitimately use these powers, they should be clearly defined in law and be subject to democratic checks and balances across the executive, legislative and judicial branches of government. The judiciary must have the power to overturn the use of emergency powers if it finds them to be being unlawfully exercised by any entity, including another branch of government.

2. Any use of an emergency power should be temporary, necessary and proportionate. ‘Temporary’ means that a clear deadline on the use of an emergency power should be given. ‘Necessary’ means that there is no other way to achieve a legitimate objective (e.g. tracing infected individuals during a pandemic) than to process personal or sensitive personal data. ‘Proportionate’ relates to whether or not data collected for a specific purpose is proportionate to the achievement of the legitimate aim it has been collected for. For instance, proportionality between the amounts of personal data collected and the public health goals of epidemiologists during the Covid-19 crisis.

3. Only legitimate entities should have the right to exercise emergency powers, including powers to bypass consent as a lawful basis for data processing. In the context of the Covid-19 pandemic, only epidemiologists, medical professionals and other carefully vetted public entities and individuals should have access to personal and sensitive personal data that may be collected under emergency powers. Any processing of personal or sensitive personal data that is conducted on a basis other than by informed consent of the data subject must be accompanied by an assessment of why it was not possible to obtain informed consent and how the processing meets the tests of necessity and proportionality.

4. As a rule, private entities, big data analytics firms, data mining firms and other non-specialist entities do not have the right to collect, access or use personal or sensitive personal data without consent. In exceptional circumstances however, it may be necessary for them to do so to help achieve a public interest objective (e.g. flattening the curve of the Covid-19 pandemic). In such circumstances, any data collection must be temporary, necessary and proportionate. There must be a clear process for terminating the collection and processing of personal or sensitive personal data at the end of the crisis. Any agreement between a public and private entity must be transparent and openly published to enable public scrutiny and accountability. A process for deleting, responsibly archiving, or transferring personal and sensitive personal data out of the hands of non-public entities at the end of the crisis should form part of any agreement.

5. A crisis such as pandemic is never a time for experimentation based on the processing or use of personal or sensitive personal data by private entities. Legitimate entities such as the World Health Organisation (WHO), Ministry of Health officials and professional scientists, epidemiologists and researchers may utilise personal and sensitive personal data to model outcomes; so long as their purpose is legitimate and specific, and their processing meets the tests of necessity and proportionality.

   If you would like to contribute to the evolution of these rules, please contact me at: tom@dataready.org.