Data privacy, what lies ahead of post-cororonavirus

The coronavirus pandemic has seen the rise of mass surveillance by Governments as a tool to curb its spreads. This has led to worries about violations of data privacy and how protection of it can be guaranteed.

The economic disruption of the virus also poses a risk that businesses might flout regulations for example in under-declaring their performance.

Working from home arrangements during the coronavirus pandemic also poses a threat of cyber attacks for firms.

To understand what lies ahead during and post-coronavirus in terms of data privacy, compliance and lessons for firms, Financial Standard spoke to PwC Head of Regulatory, Compliance and Advisory Joseph Githaiga

What are some of the emerging issues as a result of the coronavirus pandemic around data privacy and should we be worried?
Some members of the public may suffer the "Big Brother" syndrome and worry about the extent to which government agencies can legally use personal data to enforce measures to contain and manage the pandemic in Kenya. For example, identifying individuals who have or may have the disease, enforcing quarantine measures, imposing restrictions on freedom of movement.

It is important to recognise that an individual’s right to privacy is not absolute and that there are grounds for qualifying that right. For instance, where it is necessary to do so in the public interest or for the protection of the vital interests of individuals, or for compliance with written laws. It is therefore not difficult for the government to establish a lawful basis to justify the use of personal data to contain the pandemic.

However, once the pandemic is contained and the crisis is over, individuals will probably have stronger grounds to argue that any personal data processed for the purpose of pandemic containment should be destroyed or anonymised.

A key consequence of the pandemic containment measures has been the introduction of work from home arrangements by businesses and public sector employers. To make such arrangements effective, many employers have had to adopt technology tools such as virtual meeting applications. Some of these technologies may not have been adequately tested for cybersecurity threats and may not have the security features built into workplace technology. Such gaps in security features increase the risk of data protection and privacy breaches through the use of untested technology.

Data sharing has become an important element in the ongoing fight against Covid-19.How do our laws protect us from the mass data collection methods already being put to use?
Persons or organisations that collect personal data from individuals are required to have a lawful basis for the collection, sharing and other processing of such information. One such basis is seeking the consent of the individual about whom the data is collected. In the absence of such consent, one must establish a legal necessity basis for collecting and processing the personal data. For example, in the context of COVID 19, personal data may be collected and processed, without the individual’s consent, where such processing is necessary for the public interest, the protection of vital interests of individuals, compliance with written laws, and the exercise of public authority.

Data about an individual’s health is considered sensitive personal data under Kenya’s data protection laws and therefore attracts a greater level of protection. For example, health data may only be collected and processed by or under the responsibility of a healthcare provider or a person who owes a professional duty of confidentiality.

The burden of proving that the collection and further processing of personal data has been consented to by the individual, or that there are grounds of necessity, lies with the person/organisation collecting and processing the data. If they are unable to provide such proof then they would be in breach of the data protection laws and would be exposed to penalties under those laws.

From an expert point of view, will there be any challenges to regulatory compliance caused by Covid-19 pandemic and if so, how will we overcome this?

The risk of non-compliance with laws and regulations (whether deliberate or inadvertent) is real. A recent example is the unwarranted increases in the price of critical healthcare products, such as sanitisers, masks and gloves by some retailers, which prompted the Competition Authority to intervene and warn of regulatory action against offending parties.

There is also a significant risk of breach of data protection laws, which are recent and not well understood by the majority of Kenyans. Health details of COVID 19 sufferers (or individuals suspected of having the disease) may be accessed and shared in an unauthorised manner as a result of inadequate security controls in organisations where such data is held.

It is essential that businesses familiarise themselves with relevant laws by seeking appropriate legal advice and implement appropriate compliance measures to mitigate the risk of breaching such laws. The penalties for breaches can be quite severe, including fines ranging in the millions of shillings to imprisonment terms, or both.

For businesses that are regulated, breaches could also result in suspension or revocation of operating licences. There is also the risk of litigation by persons that suffer loss or damage as a result of a breach of the law.

The government, through ministries and various agencies, also has a role in publicly highlighting what would be regarded as illegal or inappropriate behaviour in the context of such a crisis. This would serve as warning to businesses regarding what would be tolerated and what would not.

Due to the economic disruption especially for companies, do you foresee firms not complying or skirting regulations and perhaps even under-reporting their performance

There is a real risk of this happening. From past experience, a major global crisis generally results in an avalanche of new regulation, which greatly increases the compliance burden for businesses. New or amended laws and regulations can be complex and do not have the benefit of prior interpretation by the courts. Consequently, many businesses may find it difficult to comply with laws that they do not fully understand or that they may not even be aware of.

Many businesses also monitor which laws attract higher levels of enforcement and the most serious penalties. They are more likely to comply with laws that are strictly enforced that those that are not.

What are some of the key considerations for companies to ensure business continuity and regulatory compliance?
Companies should:

- Develop comprehensive and robust business continuity plans, which they should test and update regularly. The board and management should be able to form a rapid response crisis management team to plan and coordinate a response to the crisis. They should develop a clear communication plan for employees, customers, shareholders, suppliers and other stakeholders.

-  Secure supply chains and have a plan for financing the business in times of crisis.

-  Seek legal advice on the regulatory environment that governs their business as well as monitor and comply with new laws and regulations introduced to contain the pandemic.

-  Where applicable, actively engage with their industry associations and regulators to ensure they are up to date with appropriate guidelines for managing the situation.

What do you think will be the most significant policy lesson for businesses, especially in being prepared for such a pandemic?
This current situation emphasises the need for businesses to put in place robust business continuity plans (BCPs), which anticipate a broad range of events that could create severe disruption for the business. The BCPs will need to be regularly reviewed and amended to incorporate new threats to the business and will need to be tested periodically to gauge their effectiveness.

In the context of a pandemic threat, BCPs will need to incorporate measures designed to mobilise rapid response crisis management and planning at the highest levels of the organisation, prevent or reduce the risk of infection promote effective communication strategies for staff, clients, shareholders, suppliers, regulators and other stakeholder and provide employees with physical and mental healthcare support among others.

In challenging times like these, businesses may have no control over their operating environment, but they do have the opportunity to respond appropriately in ways that support their long-term sustainability and those of their stakeholders.