The COVID-19 pandemic has trained a spotlight on the value of information governance (IG) because it’s amplified the need for organizations to manage the privacy, security and transparency of sensitive data and records while operating in uncharted waters. The spike in telecommuting and virtual meetings makes this all the more evident.
But the most sensitive aspect of COVID-19 as it relates to IG is the collection of health-related data. Many organizations are conducting health screenings of employees, customers and visitors – and may even be tracking their movements in order to monitor possible pathways of contamination. Meanwhile, media outlets and agencies are ravenous for any and all health data, be it anecdotal or collective, and organizations that share that data may risk lack of compliance with the Health Insurance Portability and Accountability Act (HIPAA), let alone data privacy laws enforced by many jurisdictions.
Further complicating matters, regulators and data privacy authorities around the world are frequently adding and updating guidance for handling personal data during the pandemic.
It’s incumbent upon IG professionals to play a central role in the organization’s response to COVID-19. Here are 10 practices that can help IG professionals stay firmly on top of these governance challenges.
1. Consult with such departments as legal, HR, security, privacy, facilities and health & safety to understand the full complement of steps being taken. The IG professional must ensure that all actions are in compliance with the relevant privacy laws – which can be more complex if the organization has offices in multiple locations and countries.
2. Identify the means of collection of health data, such as apps, thermometers, paper forms, labs and screenings.
3. Identify the types of data that are being collected. This likely includes lab test results, answers on questionnaires, temperature scans and more.
4. Identify the personal information that’s being collected. Advise your colleagues to collect only the minimum amount of personally identifiable information, as determined by your various jurisdictions.
5. Determine which data and/or records can be shared with public health officials and local governmental agencies. Document how the collected data is managed.
6. Review your retention schedule’s existing classes of records or record types and identify the best fit for these new records. Consider establishing new classes for these pandemic records with their unique retention rule, such as “life of the crisis” plus some number of years. Based on your risk profile, consider how long you must keep certain records, according to their class or type. For example, temperature screenings for the purpose COVID-19 could likely be considered temporary data. Medical records for employees, though, would likely have lengthier retention periods.
7. Be as transparent as possible. Educate all employees and contractors on the steps being taken, such as the collection of data and how it’s handled, protected and shared.
8. Likewise, provide similar information to your clients, customers and vendors.
9. Consider auto-tagging any COVID-related data so that it’s more easily accessible if it’s needed to demonstrate compliance or for litigation purposes later.
10. Preserve data as required for use in analysis and for the purposes of posterity. Collaborate with IT to ensure the right choices are made regarding the lifecycle management of these COVID-related records.