When it comes to public health and privacy, we shouldn’t have to choose just one
Health organizations and governments all over the world are using technology to communicate, track, monitor and predict the spread of COVID-19. In recent years, data has proven to be a valuable resource and the use of data to understand the movement of people and their interactions to help control the spread of infection during a global pandemic seems like an excellent use of technology.
However, unprecedented times should not result in any long-term removal of our privacy rights, especially in cases where legislation has been rushed through to allow the fulfillment of medically urgent needs for data collection or use. In some instances, data is being extracted from smartphones on an individual basis or en masse. In the current age of COVID-19 concern, data potentially relevant to tracking the disease is being gathered, or there are proposals to gather it, via several mechanisms.
At the time of writing, there are infections in 172 countries and regions around the world, some with devastating numbers of both infections and deaths. Each country is developing its own strategy to limit the outbreak and included in this is the differing use of technology and tracking data.
At the start of the outbreak in China, the authorities there required citizens in Wuhan to provide personal information so that device tracking could be linked to individuals.
Singapore’s ministry of health made victims’ personal information publicly available, which allowed developers to create maps and show locations, raising security fears for those concerned. In the last few days the authorities there have also released an app called TraceTogether that identifies, using Bluetooth, if you have been in close proximity to a coronavirus patient.
In Germany, UK, Austria, Belgium, Italy and South Korea, mobile operators have been reported to be sharing aggregated or anonymized location data with health authorities. In South Korea, data was also shared by credit-card companies. The European countries where personal data is protected by the General Data Protection Regulation are using an option to suspend the regulation in face of a civil crisis. Article 9 of the GDPR allows for processing of health and other usually sacrosanct data when necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
Despite the exceptions in regulations being used to share data with health and government authorities, the regulations that cover the protection of data should be adhered to. For example, the GDPR states that data must be encrypted when at rest and in transit, and these requirements are still mandatory.
In Israel, authorities approved new surveillance measures allowing citizens to be tracked by monitoring mobile phones. In contrast, Hong Kong tagged new arrivals to the region using wrist bands that log and transmit location data to authorities, maintaining the privacy of the individual’s phone.
An intriguing use of an app has been by the Polish authorities, requiring a quarantined individual to have an app released by the Ministry of Digital Affairs and for them to send a selfie with geo-metadata on a regular basis to prove compliance. Several countries have passed emergency legislation to permit the use of personal data to combat the spread of the virus. For example, Italy lifted a restriction on the sharing of personal data when doing so was necessary for the performance of civil protection functions.
A few countries, including Russia and China, are using facial recognition technology to ensure that those identified as infected observe quarantine rules. The systems are collecting video through CCTV, drones and other camera-based systems.
Many of these initiatives demonstrate that innovative methods are being explored, and are in use, with governments, health professionals, technology and phone companies working together to combat the medical emergency facing the world. At the same time, privacy advocates are also being vocal about these issues.
Exceptional circumstances call for exceptional actions; the issue, though, is what happens when these circumstances have passed. Will governments return to the emergency legislation and revoke the additional rights to use personal data? Will organizations that received the data be required to delete it? Will individuals whose data was affected be notified that it was shared?
It’s our responsibility as technologists and privacy advocates to ensure that normality is restored and that we return to a world where privacy rights are respected and enforced once the current emergency is resolved.