As countries grapple with the seriousness of the COVID-19 global pandemic, privacy-intrusive measures are being taken by governments to counter the spread of the virus and to protect the health and well-being of members of the public. Understandably, there are concerns about the privacy of individuals, data breach incidents and potential discrimination against people who have contracted COVID-19 or who are from countries with a high rate of COVID-19 infections.
There is a tension between the rights of individuals under data protection / privacy laws or regulation and the rights of other individuals to be protected to the extent reasonably feasible or necessary from infection. A balance needs to be found between measures such as imposing travel restrictions, having individuals quarantined or forcing them with compulsory stay-home notices and the wider rights of the community to be protected from the danger of infection by COVID-19.The difficulty is in finding that balance, which depends at least to some extent on cultural norms and expectations. The principle public health measure employed in a large number of countries is "Contact Tracing" - that is, finding and then monitoring people who have had close contact with someone who is infected with COVID-19. Doing so requires processing of various types of personal information.
The World Health Organisation (WHO) breaks Contact Tracing down into three basic steps:
Besides Contact Tracing, other specific measures are being used by health and other government authorities in some countries that involve the use of digital technology and mass surveillance. These can be intrusive and call into question whether they involve an appropriate balance between the privacy rights of individuals and the rights of the community generally in terms of health security. For example:
Hundreds of people have started getting warnings on their mobile phones saying that they are in places of risk. The government is able to do this because it has been tracking their device locations. Messages such as these are received: "According to epidemiological research, you were close to a coronavirus carrier on March 6, 2020," read one message sent on Wednesday by the Israeli Ministry of Health. "You must go into isolation until March 20, 2020, in order to protect your relatives and the public."
Tried and failed more than twice to contact two individuals who had arrived on flights from China and Hong Kong respectively at the Taipei locations they provided. As a result, the Taipei City Government decided to publish their names, identifying the three citizens who knew their whereabouts were asked to contact the 1922 hotline.
Have now gone one step further to also make public the names of those who ignore warnings not to travel to high risk countries, in addition to other punitive measures.
Undertake intensive efforts to trace the contacts of people known to be infected. Hospital staff, dedicated contact tracers, and even the police go to great lengths to interview patients about their recent whereabouts. Go the extra step to integrate data from the national health bodies, immigration and customs databases, generating data to trace people’s travel history and clinical symptoms, using mobile phones to track people. Retrieve additional data from transport companies and hotels, including consulting CCTV footage when information is unclear, unavailable or to fill in missing information on infected patients’ activities and contacts. Analyse digital footprints like ATMs, shopping centres or restaurants where they have used their credit cards. All these give a detailed breakdown of a patient’s movements from 14 days before symptoms appear and until he or she is isolated.
Can individuals object or refuse to subject themselves to various measures, such as those mentioned above, as part of their rights under data protection /privacy law (that is, for example, refuse to have their personal information collected, used or disclosed)?
We can observe that governments treat these measures very seriously. There are penalties and other enforcement actions imposed on anyone failing to comply with governmental requirements.
In Singapore, a couple from Wuhan was charged on 28 February under the Infectious Diseases Act for:
If convicted of the charges, both husband and wife face penalties of up to six months' jail, a maximum S$10,000 fine, or both, per charge.
As at 21 March the Ministry of Manpower (MOM) was reported to have already revoked 89 foreign workers’ work passes after they breached entry approval requirements and Stay-Home Notice (SHN) designed to contain the spread of COVID-19. Of these, 73 had a history of travel to COVID-19 affected countries. It was also reported that two international university students (one involved in an international exchange programme, the other a postgraduate student) had their student passes terminated for breaching their 14-day Stay-Home Notice and Leave of Absence (LOA) orders.
Similarly, in Taiwan, those who provide false information on their health declaration and home quarantine notices could be fined up to NT$150,000 (~SGD$7,100). If they breach their home isolation or quarantine regulations, they could be fined between NT$100,000(~SGD$4,733) and NT$1 million (~SGD$47,330).
Processing personal information for contact tracing purposes is a necessity under the law on communicable disease in the Philippines. Any person or entity found in violation will be penalised with a fine of up to fifty thousand pesos (₱50,000.00) or imprisonment of up to six months, or both, at the discretion of their courts.
Individual rights are limited when it comes to government measures.
In short, when it comes to a pandemic issue such as COVID-19, such measures which involve legal obligations (like Singapore’s Infectious Diseases Act), tasks of public authorities, public emergencies and those involving the vital interests of individuals often limit the rights of individuals under most if not all data protection / privacy laws. The requirements under personal data / privacy laws and regulations are set aside when personal information needs to be processed for these purposes.
However, there are still data protection / privacy laws or regulations or specific public sector regulations that government agencies must comply with to safeguard personal information when it is processed for COVID-19 prevention and security measures.
In the European Union, the General Data Protection Regulation (GDPR) provides that public health authorities may process personal data in the context of epidemics, without getting any consent to do so from individuals. The GDPR provides for the legal grounds to enable the employers and public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.
The same applies to the Philippines where the Data Privacy Act also covers the actions of the government. There is no need to consult the individual.
There is no specific data protection / privacy laws or regulations in China. However, there is a set of Personal Information Security Specifications (PI Specs) that serve as ‘best practice’ guidelines. The National Health Commission of China issued a notice on February 3, 2020 outlining personal information protection requirements in the context of the prevention and control of COVID-19.
So did the PRC Cyberspace Administration of China (CAC) (the key Chinese regulator on cybersecurity and, incidentally on data privacy). On February 4, 2020, the CAC issued the “Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” (CAC Circular). It provides detailed guidance on protecting personal data in the current circumstances, in accordance with Chinese laws and regulations governing cybersecurity and the prevention of public health emergencies. Unless otherwise authorised under those laws and regulations, no individual or entity may collect or use personal data, without the consent of the individuals involved.
In summary, there is little an individual can do to protect their privacy when it comes to measures being implemented by the government to protect the public against COVID-19. If the purposes are justified by an existing law, when it comes to public authorities performing their tasks, or when there are public emergencies or public interest involving the vital interest of the individual, your rights under data protection laws are limited.
In Part II of this article, we shall look at what data protection or privacy rights you do have under the law.
By Kevin Shepherdson CIPM, CIPT, GRCP, CIPP/E, CIPP/A,FIP
Lyn Boxall, CIPM, CIPP/A, CIPP/E, FIP
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The novel coronavirus, or COVID-19, has been receiving global attention, and co…
On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID…
Here are some general tips that your organisation can follow at each stage of i…