What is the issue?
In response to the COVID-19 pandemic, governments have introduced measures around bio-surveillance, censorship and misinformation that could have significant impacts on privacy rights. Among recent initiatives, governments have passed laws relating to around the tracking of people’s movements, communications and health data, leveraging telecommunications, camera footage, transport bookings, financial data, social media, facial recognition and temperature checkpoints.
Governments are setting up these systems, but private businesses are providing the tools. In this context, businesses may be aiding governments in measures that violate civil and political rights. Businesses may also be adversely impacting people’s human rights without the involvement of governments. Therefore, it is incumbent on businesses to think carefully about their obligations under international human rights law.
Privacy rights and cyber security-related business challenges have been amplified by the COVID pandemic, raising concerns for institutional investors. This briefing provides guidance to support investors in developing a better understanding of the scope of risks and their potential impacts on portfolio companies. The table below sets out examples.
Key near term investor actions
Below is a list of questions for investors to consider for their stewardship activities that will help set expectations for investee companies around privacy rights and cyber governance issues.3 The list is not exhaustive and should be adapted depending on the business sector and company location.
Considerations around privacy rights
- Has the company identified clear social benefits for services provided to governments during the pandemic? If the company is profiting from the situation created by the pandemic, it should ensure it does not lock public authorities into exclusive long-term contracts and that the services are provided only for the necessary period of time.
- Has the company identified its legal responsibility in terms of protecting end-user’s privacy rights?
- Has the company carried out due diligence of its products or services to assess privacy rights risks, including providing third party access to users’ sensitive information?
- Will the company delete the data collected through tracing apps after the crisis? How will this be ensured?
- Will surveillance measures be rolled back at the end of the pandemic?
- Has the company identified whether parts of the population are being excluded as a result of technological choices? Will those without a smart mobile phone be left out?
- Can the company guarantee that all the data collected is relevant to the required purposes and is not more than necessary?
- Is the company being transparent about the type of data gathered, who it will share the data with, on what basis, and for what purposes?
- Has the company made sure there are no other solutions available that are less data-exploitative?
- Are the activities of the company in the development of the technology lawful – respecting human rights frameworks and data privacy principles?
Considerations around cyber security
- What is the governance structure underpinning cyber security and can the company demonstrate its effectiveness?
- Does the board have expertise on cyber security?
- How does the company address gaps in skills and experience relating to cyber security?
- What are the company’s strategic and compliance priorities regarding cyber security?
- Has the company carried out due diligence to identify key concerns around cyber security within the value chain?
- What cyber security metrics are reported to the board, and how are these linked to wider incentives and benchmarking across the company?
- How has board reporting on cyber security enhanced cyber security plans and strategy?
- What has been learnt from cyber security breaches and how has the company modified mechanisms to reflect these experiences?
- How is the company strengthening organisational capacity as part of its cyber security strategy?
Examples of corporate good practice
RiskRecon | Sector: Financial | HQ: US
RiskRecon, a risk management provider, is offering free cyber security rating assessments to the end of 2020 to small business and healthcare providers in Canada and the US, in partnership with the Health Information Sharing and Analysis Centre. The initiative aims to support companies exposed to the increase in cyber risks caused by the pandemic. The assessments help businesses identify and address potential vulnerabilities in their systems, providing recommendations to strengthen cyber security structures.
National Cyber Security Centre | UK
The National Cyber Security Centre in the UK has provided guidance to help business manage the technological challenges presented by COVID-19. Extensive and detailed orientations covered areas such as video conference services, scam emails and service providers, aiming to help organisations improve their IT services and support.
Tools, guidance and further resources
Podcasts and webinars
- Webinar - Navigating cyber security and privacy rights during COVID-19
- Webinar - Cybersecurity: An Enabler of Business Continuity during the COVID-19 Crisis
- Webinar - Business Life After the Virus: Disruption
Guidance documents and resources
- PRI’s report - Engaging on Cyber Security: Results of the PRI collaborative engagement 2017-2019
- PRI’s blog - Why cyber security and governance should go hand in hand
- Privacy International article - COVID contact tracing apps are a complicated mess: what you need to know
- Privacy International article - COVID-19 response: Corporate Exploitation
- Human Rights Watch – Mobile Location Data and COVID-19: Q&A
1 International Observatory of Human Rights, 2020, Russia: AI and hi-tech surveillance to fight the COVID-19 epidemic amidst fears of rights violations
2 Council of Europe, 2020, AI and control of COVID-19
3 PRI, 2020, Engaging on cyber security: Results of the PRI collaborative engagement 2017-2019