Government surveillance to halt COVID-19 has sparked privacy concerns.

Companies storing sensitive data will be restricted by data privacy regulations, such as GDPR.

Privacy-Enhancing Technology helps companies use data without revealing confidential information.

As scientists around the world work tirelessly to develop a viable vaccine, coordinated data-sharing has become an essential tool in the ongoing fight against coronavirus. In an effort to establish effective public health strategies and protocols for curtailing the spread of COVID-19, mass data collection methods are already being put to use.

Naturally, any type of sweeping government-sanctioned surveillance programme, however well-intentioned, raises serious questions: how is our sensitive data being used? Who has access to it? How vulnerable is our data to leaks and hacks? How could it be exploited by private companies in the future? And, of course, is there a way to mitigate the risk of privacy breaches?

These are important questions that will most certainly resurface – even if we’re too preoccupied to think about them today – once panic ebbs and calm has been restored in the post-coronavirus era.

Keeping close tabs on the health and location data of local populations may, in fact, be the key to an effective containment strategy. For example, real-time data about the geographic distribution and health status of both the quarantined and infected patients reveals critical insights about the effectiveness of preventive health measures. Our personal data is currently being collected, used and shared in a variety of ways:

Mobile location data is providing governments with advanced tracking capabilities to help authorities enforce quarantines.

Facial recognition technology linked with biometric databases is being integrated with digital thermometers to help capture the identity of individuals with a fever.

Open-source applications like Nextstrain are using Gisaid, a platform for sharing genomic data, to help researchers track and study the evolution of coronavirus.

Total confirmed cases and total deaths from coronavirus worldwide, as of March 30. Image: Worldometers

During an extraordinary crisis, many governments are willing to overlook privacy implications in an effort to save lives. However, the sensitive data that’s being collected is not exclusive to public health organizations and governments. In the United States, the government is openly working with Verily, a Google sister company, to offer online screening tests that require users to have a Google account. Sensitive data is also being accessed by surveillance technology companies and mobile app developers. Users of the Corona 100m app, for example, can see the date that a coronavirus patient was infected, along with his or her nationality, gender, age and the locations they visited.

What is the World Economic Forum doing about the coronavirus outbreak? Responding to the COVID-19 pandemic requires global cooperation among governments, international organizations and the business community, which is at the centre of the World Economic Forum’s mission as the International Organization for Public-Private Cooperation. How can we collaborate to stop the spread of COVID-19? Since its launch on 11 March, the Forum’s COVID Action Platform has brought together 1,667 stakeholders from 1,106 businesses and organizations to mitigate the risk and impact of the unprecedented global health emergency that is COVID-19. The platform is created with the support of the World Health Organization and is open to all businesses and industry groups, as well as other stakeholders, aiming to integrate and inform joint action. As an organization, the Forum has a track record of supporting efforts to contain epidemics. In 2017, at our Annual Meeting, the Coalition for Epidemic Preparedness Innovations (CEPI) was launched – bringing together experts from government, business, health, academia and civil society to accelerate the development of vaccines. CEPI is currently supporting the race to develop a vaccine against this strand of the coronavirus.

Under ordinary circumstances, sensitive patient-linked medical records can and should be kept private. Exposing them to private companies, even in the interest of public health, is a source of concern because these records hold significant commercial value. They could, for instance, provide advertising agencies with valuable targeting data for healthcare and pharmaceutical companies. They could also help inform decision-making by health insurers seeking to verify medical histories when processing new policies and claims. Databases that contain identities linked with mobile location data also carry a price tag, especially for consumer markets.

Companies seeking to store sensitive data of any kind, and perhaps leverage it for future commercial gain, will be restricted by data privacy regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, to fully ensure regulatory compliance and protect data – an exponentially valuable business asset – enterprises must embrace the latest innovations in Privacy-Enhancing Technology (PET). This new category of privacy technology, as highlighted by the World Economic Forum, enables businesses to leverage insights derived from third-party private data without revealing confidential information that cannot and should not be shared for ethical, legal or business reasons.

Implementing PET, as discussed in US Senator Kirsten Gillibrand’s recently proposed Data Protection Act, should be a critical priority for the business community. Fortunately for enterprises, advanced cryptographic techniques based on PET are already in use. They have been rigorously tried and tested by the global academic community, and industry leaders are actively involved in PET standardization efforts like ZKProof to facilitate wider adoption. If implemented properly, PET can empower, rather than constrain, companies. It can help them safely leverage third-party data and stay competitive, without putting user privacy or confidential business data at risk.