A Balancing Act
By: Monique Verduyn
As countries and companies around the world focus on technologies such as tracking, tracing, and testing to fight the coronavirus, coordinated mass data-sharing has become an essential tool.
But what does that mean for personal privacy? The World Health Organization’s guidance on global surveillance defines public health surveillance as the continuous, systematic collection, analysis and interpretation of health-related data needed for the planning, implementation and evaluation of public health practice in relation to COVID-19.
Who is tracking whom?
The European Data Protection Supervisor is cooperating with EU institutions and the European Data Protection Board to ensure fundamental rights are respected, with a Covid-19 task force following developments and preparing for the future of data protection and privacy after the crisis.
Our own Department of Health has developed a national database to enable the tracing of people who are known or suspected to have come into contact with anyone who has contracted COVID-19. But sensitive data about our location and health status may be involved, and once information is stored in a database it is always hackable.
Tefo Mohapi, CEO of iAfrikan, a company that tracks the impacts of digital technology, says the laws are specific but not without risk. “In South Africa, only the director general of the Ministry of Health is allowed to access the COVID-19 tracking database and request location data from mobile service providers. As with all laws, though, these can be abused.”
All we can do, Mohapi adds, is adopt a wait-and-see approach. “One danger is that unauthorised people gain access to the tracking database and publicise citizens’ COVID-19 status or other data,” he says. “Another worry is that the data could be used by other state organs for purposes yet unknown. More than ever before, we as citizens must be alert and vigilant.”
Good intentions not enough
Though it is understandable that government is considering all possible options to try and flatten the curve, says Ahmore Burger- Smidt, director and head of data privacy practice at Werksmans Attorneys, South Africa has been playing catch-up in implementing data-privacy laws. “It’s a sensitive balancing act to protect individual privacy, which is a fundamental human right, and the collection of health information that is critical to the public good.”
The ability to identify hotspot areas where infections are prevalent is without doubt crucial. If we were to follow Protection
of Personal Information Act (POPIA) principles, delayed once again by the coronavirus, it would mean that information collected could only be used to address COVID-19 and not for any other purposes, and only relevant information could be collected and kept secure.
“But there are important questions,” says Burger-Smidt. “What will happen without POPIA during and after COVID-19? Regulations also stipulate this database should be anonymised after the lockdown and preserved for research purposes, but we cannot be sure that this will happen.”
Concerns about security are reasonable. South Africa has experienced a disturbingly high number of data breaches in the last few years, including one against the Civil Aviation Authority and two ransomware hits on City Power within a couple of months.
The required levels of digital trust cannot be built only upon statements of good intent without addressing security measures, says Burger-Smidt. “If we had empowered, effective and real- time independent oversight and verification, and prompt and public reporting, it would be easier to nurture trust, but we have not seen public reporting. Fears that the personal data collected could be targeted by cyber-criminals cannot be ignored.”
The idea is that for COVID-19 technological solutions to succeed, people need to be in control of their data. To this end, privacy principles around the world include:
- Obtaining consent and being transparent about the reason for collecting data, what data is collected and how long it is kept.
- Collecting the minimal amount of data, providing appropriate safeguards to secure said data.
- Not sharing data or health status without consent.
- Deleting the data as soon as it is no longer needed for the emergency.