Privacy during the Pandemic

As institutions have moved to more remote learning and remote work due to the COVID-19 pandemic, privacy professionals have reported a slew of new privacy concerns while working to increase the visibility of privacy and adapt processes and policies to address recent concerns. In our interviews with privacy professionals, they primarily flagged concerns related to institutions' use of contact tracing; faculty, staff, and student privacy at home; and videoconferencing.

Contact-tracing data needs privacy attention. Over the summer, planning for a possible return to in-person or hybrid learning required a great deal of flexibility and preparation for a variety of scenarios with important data privacy implications. Many institutions' plans relied in part on contact tracing to allow for the return of students, faculty, and staff to campus. However, institutions approached their plans for collecting and using data for contact tracing in different ways, and some of our interviewees reported that, for reasons related to institutional culture and awareness about the role of privacy, they were not included in contact-tracing planning meetings, even as other senior leaders were invited to participate. As institutions continue to collect and store personal data to ensure a safe and secure presence on campus, privacy professionals should be consulted to help institutions be transparent about their data processes and to ensure the privacy of individuals is safeguarded.

To cite just one example, the University of Michigan has created several resources to explain the use of its symptom tracking app, ResponsiBLUE. The FAQ provides answers for faculty, staff, and students regarding why, how, and which data the institution is collecting, and the related privacy policy provides greater detail about the type of data the institution collects and the data's life cycle. This type of easily consumable privacy resource showcases how institutions can develop similar documents and policies in order to move away from practice of issuing privacy notices that consist of dense, intimidating "walls of text."

Privacy concerns arise when staff, faculty, and students work and learn from home. Although most institutions have done an effective job setting up remote working, teaching, and learning capabilities for their staff, faculty, and students, our interviewees raised a few lingering privacy concerns. One of the main concerns we heard is also an issue of equity, focused on the spaces people have available to them when learning or working from home. In some homes, holding a phone or video call without being overheard by a roommate or family member is difficult or impossible. People may have to use their personal devices for work, devices that might be shared with other household members. If private information is being shared in either of these cases, such sharing could lead to a breach of privacy, with serious implications for the person and/or the institution. Interviewees also pointed out that these other potential listeners in the home may not be other persons at all but rather "listening" devices such as an Amazon Alexa or Google Home. Reminding staff, faculty, and students about these devices is important for protecting privacy, as is creating resources, such as this COVID-19 resource page put together at the University of California San Diego (UCSD), to help people manage sensitive work conversations.

Videoconferencing brings its own issues. Perhaps one of the most widely discussed privacy concerns that has arisen due to the ubiquitous use of videoconferencing for remote learning is the recording of students' names, faces, and home environments. Reports of "Zoom bombing" hit institutions and major news outlets in the early months of the pandemic. Videoconferencing apps adapted quickly, and students and faculty have generally been able to solve these problems through the proper use of in-app security tools and virtual backgrounds. Many institutions have put together videoconferencing resources, such as this videoconferencing privacy page from the University of Michigan

With a dramatic rise in the number of students engaged in remote learning came an equally dramatic rise in the use of online proctored exams, some of which may be facilitated through a videoconferencing tool. This rise in online exams led to its own set of privacy concerns as students had to reveal their bedrooms or other personal spaces to proctors who were working from home, not to mention the slew of private student data that was potentially being shared with proctors. UCSD's COVID-19 resource page also has a section for instructors containing privacy information and recommendations for online proctoring.

Top Privacy Issues during the Pandemic

Contact Tracing

  • The collection of PII to mitigate health and safety risks as people return to campus
  • Educating students, faculty, and staff on what data are being collected, how the data will be used, and how the data will be managed over time
  • Student, faculty, and staff use of contact-tracing/symptom-tracking apps

Privacy in the Home

  • Staff using personal devices that might be shared with other family members
  • Overhearing private meetings due to space constraints in the home
  • The use of listening devices in the home (e.g., Alexa)

Videoconferencing

  • Student names and faces being recorded
  • "Zoom bombing" or other videoconferencing management issues
  • HIPAA concerns arising from moving medical services and business processes online
  • Privacy concerns of online proctored exams

Digitizing business processes provides privacy opportunities. As students, faculty, and staff have moved to remote learning and remote work, many business processes are being digitized with the help of IT to continue to provide services and to save time and money moving forward. Institutions approach this digitization in many ways, but opportunities arise to ask questions about personal data collection, regardless of an institution's approach. The privacy professionals we interviewed recommended having a conversation with the IT customer requesting the service, working together to answer the following questions when a business process requires the collection of personal data:

  • Why is this process important? What is the outcome?
  • What type of data are you collecting?
  • What is the minimum amount of data we can collect to achieve the desired outcome?
  • Who will have access to these data?
  • How will the data be used and stored and for how long?

Answering these or similar questions through discussions simplifies the work that IT and the requester will undertake to achieve their goals with the greatest regard for data privacy as well as resource allocation.

Privacy has gained visibility during the pandemic. As concerns about contact tracing and "Zoom bombing" have filled the media, more people are being exposed to privacy topics and conversations. Interviewees reported that, compared to pre-pandemic times, this growing awareness had led to fewer requests overall for eleventh-hour privacy stamps of approval, as well as more institutional members reaching out with privacy questions about plans to gather and utilize personal data in research and analytics projects.

Interviewees urged other privacy professionals to not let this heightened awareness and discussion of privacy lapse. Instead, they recommended using the current momentum to further raise awareness of privacy across the institution and encourage more thinking about the ethical use of data and the current dynamics of policy, safety, security, and privacy.