After the Lockdown: Health Data Privacy and Reputational Risk

Any kind of crisis demands a swift and decisive response, and often that response involves some type of change. Rarely has a crisis rolled across the globe as quickly or comprehensively as the COVID-19 pandemic. Some of the changes that come in its wake will be temporary, some may be permanent. But a number of them, if not approached thoughtfully, carry considerable reputational risk.

That’s true of any major changes in the way organizations gather or use sensitive personal data – but it’s especially true of changes in the use of health‑related data. How those changes are navigated will depend a great deal not only on the organization, but also on the audiences that need to be engaged. And the reputational stakes will be high. Public sentiment is likely to be volatile for the foreseeable future, as people weigh their willingness to surrender some measure of privacy against their desire for more freedom of movement or the ability to return to work.

The choices organizations across the board will have to make carry a range of risks, from operational to legal and regulatory, and it’s critical to be fully prepared for the level of scrutiny new privacy-related measures may come under. That’s why your communications team needs to be at the table as high-level decisions are made, playing an active role in thinking through how or where reputational risk may emerge. Just as important, they can help ensure that the organization communicates clearly and transparently with critical audiences about what changes they should expect and how long those changes will endure. This kind of straightforward communication can not only limit risk but has potential to grow trust with key stakeholders.

Further, making sure any new measures are communicated in a way that aligns with your organization’s values and that focuses broadly on health and safety will make the difference in whether the days ahead enhance or undermine that stakeholder trust.

Based on our experience, we see the path forward on COVID-19-related data privacy issues as a four-step process:

1. Make sure a reputational lens is placed on decisions about how personal data will be collected and where it will be shared.
2. Think through and prepare for reputational risks these new measures and policies may present.
3. Maintain as much transparency about any new data collection methods and data sharing policies as possible; that includes setting expectations about how long they may be in place.
4. Have a clear plan for communicating changes and expectations to employees and other audiences that frequently interact with your organization.

As part of that communications planning, the following are some of the most critical questions to anticipate from key stakeholder groups.

Employees

Key Question: What’s going to be different and what will it mean for me?

In the end, employees will be your most critical audience to engage with and the most important to get right. They will likely be the ones who experience the most change and who will probably be volunteering the most personal data. The most important considerations will be to make sure you maintain as much transparency as you can regarding any changes in the way their data will be shared and collected, and that you also make clear any and all steps being taken to maximize employee health and safety. Transparency can be tricky in some instances. But being as open as you can initially, while also being open to and prepared for questions, will go a long way to earning both near- and long-term trust.

Customers and Clients

Key Question: Can I trust this organization to do the right things to keep me and others safe?

This will obviously depend on how your organization interacts with your customers and clients, but it should be relatively straightforward, as well. If you implement extra measures that involve gathering or using more customer or client data – and particularly if those measures aren’t readily apparent – you’ll need to set very clear expectations with your clients or customers. If data is being collected or shared in ways that might surprise them, they should be proactively informed. In some cases that might be as simple as a sign at an entrance. The primary goal is to ensure that they get this critical information from your organization and not someone else.

Regulators and Lawmakers

Key Question: How much do we define for our constituents and how much do we leave for them to decide in terms of what data is collected for public health purposes and how?

In some cases, the dynamics with this audience will be very different. With a few exceptions, most interactions organizations have had with regulators and lawmakers regarding the use and collection of personal data have either been either by law or have been in reaction to an inquiry of some kind. Given the scope of the COVID-19 response, there may be many instances that require more engagement with this audience, but there are opportunities for collaboration, as well. There’s no playbook for how to respond to a public health crisis of this size and scope, so this collaboration will be key – not in the sense of agreeing to everything regulators or officials ask for, as much just having an idea of where the limits of cooperation might be for your organization.

Interest Groups

Key Question: How far is “too far” in allowing access to personal data?

The response to this question may differ significantly depending on an individual group’s agenda. Labor groups, for example, will require active, collaborative and, ideally, transparent engagement. But the key point is this: The rules of engagement with many of these groups will largely be set by how your organization manages these changes with employees and customers in the first place. Engaging effectively with those core audiences will help mitigate any potentially contentious issues interest groups may raise. Absent that, these groups may be more primed than usual to push back directly and, potentially, in more public ways.

Data Privacy Activists and Reporters

Key Question: Who is getting it wrong in terms of the use and collection of personal data?

Just as with interest groups, how you handle your other core audiences will help to shape the dynamics of your interactions with journalists. So far, many activists have been willing to cede the fact that public health needs demand significant changes to how personal data is used and shared. However, that may not hold for long, and there’s no doubt they will be looking for examples they can portray as “bad actors” in their use or collection of personal data. Journalists, even many in the security and privacy space, have largely been focused on COVID-19. But as they return to their normal beats, they too will be looking for similar examples. To handle any contentious engagement with either of these audiences, it’s critical to ensure that your communications team has a clear view into the roll-out of your changes, a well as a sound plan for communicating those changes and staying ahead of potential issues.