If we are going to end social distancing, we will need to find a way to know who has COVID-19 and where they are. Temperature and symptom tracking, testing, and contact tracing are regularly mentioned as a part of long-term solutions. This is a lot of data about individuals that will be tracked and reported by businesses and government agencies. Actions will be taken based on this data – individuals will be told to quarantine, businesses will be told to shut down, communities will be told to stay at home.
Designing a data collection system that is trusted and regulated will be key for a sustainable solution. As a business school professor, regulation is not my answer to most problems. However, the intimacy of the data needed and the breadth of the collection required will necessitate strict regulations since we do not have trusted organizations to do this well (to be blunt). Data about individuals is covertly captured and aggregated by unknown companies. So it is not surprising to find location data aggregators and social networking companies suddenly able to provide the travel patterns of individuals to track the virus.
Let’s consider what will not work: having apps leak our location data to commercial data aggregators who maintain a dataset of identifiable location history data that is for sale; or having businesses collect our temperatures and symptoms – as employees or as customers – and then using that data to report pandemic concerns as well as keeping the data for later marketing or employment decisions.
Two rules to keep in mind when planning data collection:
- We regularly share information with a person or organization with specific privacy expectations around how that information will be used and shared (Martin 2016; Nissenbaum 2010). Data collected to track a pandemic is no different.
- If privacy expectations are not respected, then people stop sharing their data or start subverting the data collection system. In other areas of life, we give false information or use technology to block trackers. However, tracking a possible outbreak of a virus is a situation where we need better, accurate, less biased data collection.
Fortunately, we have done this before. Consider the Census. We generally share information about ourselves and our homes with an understanding that the information will be protected within the Census Bureau. However, Census data is heavily regulated. Within the Census Bureau, only small number of people have access to the individualized data – that data where you and I can be identified. Otherwise, researchers, reporters, statisticians, economists, etc work with Census data at block or anonymized level. There are clear rules about what organizations can have access to that data.
What this means is that data collectors, aggregators, and controllers of our location and health data need to be highly trusted and regulated organizations. In general:
- Collection of health data. While medical providers are heavily regulated, medical data is not. If the systematic collection of temperature and COVID-19 symptoms will need to be collected widely and centralized for analysis, new laws will be required to specify that commercial organizations collecting health data for tracking infectious diseases – e.g., a store taking temperatures before letting customers or employees inside – would have limitations placed on them as to how that data can be shared and used.
- Collection of location data. The collection of location data should be regulated — period. Helen Nissenbaum and I conducted a study focused on location data collected by different organizations – family, government, commercial, employers, etc – via different methods (Martin and Nissenbaum 2020). Respondents found the collection of location data to make inferences about where they are and who they are with to always be a violation of privacy – no matter who collects that data. In fact, our study found that data aggregators were deemed the worst actor to have our location data.
We have a systemized collection of data at a national level with a trusted government agency that is then heavily regulated. We need to be similarly thoughtful in any systematic data collection effort to track COVID-19 or any infectious disease.
Martin, Kirsten. 2016. “Understanding Privacy Online: Development of a Social Contract Approach to Privacy.” Journal of Business Ethics 137 (3): 551–69. https://doi.org/10.1007/s10551-015-2565-9.
Martin, Kirsten, and Helen Nissenbaum. 2020. “What Is It About Location?” Berkeley Technology Law Journal (Forthcoming) 35 (1). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3360409.