Data Protection for All — A New Normal


The massive increase in the collection of personal data is considered one of the unexpected consequences of the COVID-19 pandemic. With a huge percentage of the world’s population working remotely for an indefinite amount of time, people have to sign up to communication platforms and digital tools without even a clear understanding of how those tools are harvesting their data.

The invasiveness of the measures can vary from one jurisdiction to another. Some governments have enabled contact tracing by asking people to download certain apps. Others have taken advantage of geo-fencing technology to ensure people stay within the fence. In extreme cases, details of the infected individual’ age, gender and most recent location were shared via text message.

Many organisations are seeing the importance of strengthening their current data protection practices and systems. Case in point, in Singapore, they created the Personal Data Protection Act or PDPA guidelines. Knowledge of the PDPA guidelines has helped organisations avoid large fines and reputation damage.

Conversations with IT and stakeholders is also considered ideal to achieve a clear understanding of the short and long-term organisation objectives.  The European Data Protection Board and the European Commission are coordinating app development and related issues and have provided guidance in terms of the use of personal data.

Data Protection obligations and Rights

For many European-style data protection regimes, personal data needs to be processed lawfully and fairly and used only for legitimate purposes that the individual is aware of. Personal data holdings should also not be excessive when it comes to the purposes for which the data was collected.

It should also be purged securely once the purposes have been fulfilled. If personal data are processed for new purposes, the processing can only be done given there is a legitimate purpose for doing so. The affected individual should also be notified of said legitimate purpose.

Generally, data protection laws should give individuals access to any personal data held about them. They can also request to have any inaccurate data about them to be deleted or corrected. Businesses are required to cease the processing of personal data once the purpose for which it has been collected has been exhausted.

Data retention periods can differ. However, each data controller needs to determine how long the data will be kept. At the same time, they need to ascertain how data can be securely deleted once the purpose for keeping the data has been satisfied.

To ensure that personal data is only processed for authorised purposes, contractual or other provisions should be put in place when personal data holdings are shared between parties. It is also required that data is securely stored and transmitted.

Also, when a data breach occurs, an incident response plan should be in place. Service providers that use subcontractors without the approval of the data controller are also prohibited. This is especially true when international transfers of data take place.

For special personal data categories like health data, it is crucial to retain and collect only the minimum amount of information to fulfil the stated purpose. To avoid collecting too much data, you need to make sure the data collected are:

  • Enough to properly fulfil the purpose stated
  • Relevant and has a sensible link to the purpose stated
  • Limited to what is required (in other words, organisations should not hold more data that what is needed to fulfil the purpose they have stated)

Most people nowadays accept the need for new steps to protect the most vulnerable as well as the community at large. Ideally, an eye should be kept on the long-term use of any data that’s collected so privacy won’t become another casualty of the crisis.