Collective action trumps privacy rights in a pandemic

We already use data mining to prevent terrorism and money laundering, why not to stop infection? By Piyush Gupta, CEO, DBS Bank

When DBS, south-east Asia’s largest bank, learnt of our first case of coronavirus back on February 11, we jumped into action. Within an hour of learning that an employee at our Singapore headquarters had been confirmed as a case of Covid-19, we had evacuated the entire floor and sent employees home.

Even so, there was understandable anxiety among our staff. At the time, banning everyone from the workplace — at that early stage of the disease’s global spread — seemed like a blunt way of responding.

Almost immediately, our data analytics and artificial intelligence team activated a contact-tracing tool to uncover the affected employee’s recent movements. To do this, they pulled the following data sources: appointments scheduled through Office 365, door and turnstile card tapping, meeting room booking and WiFi connectivity data.

This allowed us to identify 24 people who we categorised as first-degree contacts. We repeated this exercise for all 24 of them to create a second-degree contacts list, and a third-degree list. Everyone on the first two lists was quarantined for two weeks; those on the third were actively monitored. This became standard protocol, and guided our actions for all subsequent Covid-19cases.

We back-tested the system by using human call trees, asking our employees to recall who they had interacted with. Those provided much less accuracy even for first-degree contacts, and became woefully inadequate as we went to second and third degree.

Accessing this much individual information has Orwellian overtones, but I believe that leveraging data sensibly allowed us to intervene quickly, create positive health outcomes, and perhaps even save lives.

The underlying point is obvious: while individual rights to personal privacy are well acknowledged and protected, the rights of the larger body — a company, a society, a nation or even humanity — often get short shrift. These rights can and must be exercised by relevant authorities (in our case, by company management) in the greater good.

Critics argue that providing authorities with such power runs the risk of creating totalitarian surveillance regimes. This view posits that the same outcomes can be achieved by asking citizens to self-report and willingly co-operate with data gathering, eliminating the need for a centrally orchestrated and officially sponsored effort.

However, this has not turned out to be the case in the fight against Covid-19, either in Asia or in the west. It is true that in the early stages of the epidemic, Singapore was able to keep the situation well under control through targeted efforts and public responsibility. But, unfortunately, we are now seeing additional waves of infection that are more difficult to manage. The city-state has, therefore, had to take more stringent action, even enshrining enhanced social distancing into law. Despite this, we are seeing thousands of cases of individual non-compliance with the requirements.

Relying on the best intent and efforts of citizens, without a central authority pushing the agenda, seems impractical.

Similarly, it was initially thought that people in liberal democracies would not be willing to accept the sorts of restrictions on movement that were imposed on Wuhan, China, at the start of the epidemic. Nevertheless, scant weeks later, police are enforcing lockdowns in vast swaths of the western world. This begs the question: if we could really rely on individual co-operation and human to do the right thing, why would we ever need a police force at all?

Relaxing our attitudes towards data privacy seems to be an acceptable thing to do in a pandemic. But is there a lesson in this that we should extend into more normal circumstances? I believe there is, anchored in the belief that the rights of “we, the people” are as important as those of “I, the individual”. We already employ data mining to strengthen the immigration controls used to prevent terrorism and the know-your-customer controls designed to prevent money laundering.

Furthermore, fierce protectors of the right to individual data privacy may find this a losing battle. Today, we are already seeing an exponential increase in the volume and variety of data that is generated about an individual. As 5G networks roll out, our digital footprints will significantly increase, and it will be easier to follow the digital traces of physical actions through the internet of things. Today, doors and turnstiles yield information on the physical whereabouts of our people, without any notice or consent. Tomorrow, this will expand to almost every piece of equipment that we come in contact with.

While we are all rightly exercised by the pandemic now, as things settle down there is another scourge that we will need to use data to confront: climate change. While many people would willingly share personal data about their carbon footprint on a voluntary basis, there will always be holdouts — often, the biggest sinners — who will not.

Tracking carbon emission data may not seem either possible or necessary today. However, it could well be that this new crisis, looming just beyond our horizon, will prove the need for collective action to trump individual data protection once again.

This article was first published in the Financial Times.