Reopening digitalized economy: Practical privacy, cybersecurity considerations
Wednesday, June 10, 2020 @ 3:14 PM | By Antoine Aylwin and William Deneault-Rouillard
Has right to privacy been eroded?
Businesses have been forced to adopt several types of measures, considered necessary to battle against the spread of COVID-19 or to simply adapt to the new normal. Such actions may involve the collection, use and communication of personal information and challenge individuals’ fundamental right to privacy.
For instance, organizations may require employees and visitors to disclose any travel or known exposure to COVID-19 before being allowed inside buildings or to submit to infra-red temperature scanning as they enter the workplace. But how should an individual’s right to privacy on the one hand, and the need to ensure public health and transforming ways of doing things on the other hand, be balanced in these challenging circumstances? There is no magic bullet.
On April 17, the Office of the Privacy Commissioner of Canada (OPC) published a framework for the government of Canada to assess privacy-impactful initiatives in response to COVID-19, listing the key privacy principles that must govern any assessment of measures considered to fight the spread of the disease that impacts Canadians’ right to privacy. The OPC states that privacy protection constitutes a “continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances.” [Emphasis added.]
While all of the principles are and remain imperative, the principle of necessity and proportionality is one that we believe to be of paramount importance. Although the need to take prompt action to adjust to unprecedented and unpredictable situations, organizations must continue to ensure, even when concerned individuals have given their consent, that the collection, use and communication of personal information resulting from a given measure a) are necessary (as opposed to simply useful or convenient) to achieve the purpose aimed by such measure; and b) result in an invasion of privacy that is proportional to the eventual benefit (i.e. there are no other less privacy-invasive means of achieving the same purpose).
A good case study, among others, lies in the fact that some employers start using software specifically designed for remote monitoring of employees working from home. These tools allow employers to use a dashboard that measures employees’ productivity, including time spent in front of the screen and mouse movement. Is this measure necessary and proportional? Although the issue requires a deeper legal analysis, the principle of necessity and proportionality may appear questionable here.
Is cybersecurity the new plastic?
Looking back, the introduction of plastic materials was a drastic change with worldwide impact. Similarly, nowadays, cybersecurity is having a worldwide impact and is on everyone’s lips as epidemic curves are flattening.
As COVID-19 is the first-ever pandemic that is being fought through innovative technologies, physical interactions are being diminished to a minimum and organizations across the globe are encountering sweeping changes in their business operations, such as the swift adaptation of the work-from-home strategy and metamorphosis of business models in order to embrace a more digital economy.
Consequently, such a phenomenon has opened up multiple vectors for cybercrime, with cyberattacks and data fraud ranking third among the greatest COVID-19-related business concerns, behind prolonged recession of the global economy and surge in bankruptcies.
Although the obligation to implement physical, organizational and technological security safeguards to protect personal information from unauthorized access has been legislated for quite some time now, making information security a top priority in the rise of this post-pandemic era, implementing this concept into product design and increasing awareness among employees may help a company attract desirable customers, investors or partners, close the deals it needs to move upmarket, and, above all else, avoid eventual disastrous security breaches resulting from cybercrime.
Drafting the foundations of an Information Security Management System (ISMS) following recognized certification programs such as the international standard for information security ISO/IEC 27001:2013 is a great first step. An appropriate ISMS must be based on risk assessments and documented with policies and procedures incorporating principles that organizations can follow for information security.
These standards guide governance and investments of resources moving forward, which should respond to identified risks. When basic security controls are implemented, a first certification can be targeted, which is an effective demonstration of technological reliability and risk control to prospective customers, investors and commercial partners.
Antoine Aylwin is co-leader of Fasken’s privacy and cybersecurity group. Based in Montreal, he focuses on access to information; privacy; administrative, civil and commercial litigation; and estate law. William Deneault-Rouillard is an associate in Fasken’s Montreal office and specializes in data protection and information security law.
Photo credit / Myvector ISTOCKPHOTO.COM
Interested in writing for us? To learn more about how you can add your voice to The Lawyer’s Daily, contact Analysis Editor Yvette Trancoso-Barrett at Yvette.Trancosofirstname.lastname@example.org or call 905-415-5811.