Since its outbreak in the end of 2019, COVID-19 has quickly escalated into a global health crisis. Characterised by the World Health Organisation as a pandemic in March 2020, COVID-19 has claimed about a million of lives worldwide and infected tens of millions. Needless to say, it has also adversely impacted our lives in Hong Kong.
Governments around the world have taken different measures to contain the spread of the disease, such as deploying large-scale surveillance protocols to track down the infected and trace their contacts, locking down infected areas, and implementing “work from home” arrangements to enhance social distancing. Increasingly, governments are also looking to unorthodox technological measures to help them fight the pandemic. While public health surveillance technologies have become an integral part of many pandemic prevention and containment strategies, we should always be vigilant to the personal data privacy concerns that are raised in the process.
Globally, contact tracing or exposure notification mobile apps are regarded as a crucial and novel way to contain the spread of the pandemic, amongst other technological measures. This method generally uses bluetooth signals of mobile devices to keep records of individuals who come into close proximity of each other, which in theory allows public health officials to notify or even quarantine people who are in close contact with the infected. As of mid-September 2020, at least 37 places have been developing or have launched bluetooth-based mobile apps for contact tracing. In a centralised approach, anonymised proximity data are often collected by the app, and then uploaded to central servers when a user becomes infected. Some countries such as India, Bahrain and Kuwait have further incorporated real-time GPS tracking data into the apps, thereby increasing data accuracy and tracing effectiveness. However, this way of continuously tracing geolocation data is highly privacy-intrusive, and is advised against by many data protection authorities and human rights groups. In a decentralised approach, anonymised proximity data are collected by the app but are stored locally; only when the individual concerned is infected will their pseudonym ID assigned by the app be uploaded to central servers to notify those who have been exposed. In the “Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak” issued in April 2020, the European Data Protection Board (EDPB) took the view that the decentralised approach was most in line with the principle of data minimization. Among others, the EDPB stressed the importance of data protection by design and by default when developing these contact tracing measures.
While these digital technologies provide powerful tools for governments to fight COVID-19, their efficacy depends on people’s trust and confidence in such applications. These measures should therefore be implemented with careful planning and transparency, upon consultation with major stakeholders in the society and with robust privacy by design protection. Before rolling out these digital measures, governments have to consider privacy implications, including but not limited to:
- The legal basis for collecting and use of personal data in these digital measures;
- Whether the use of these measures is necessary and proportionate, taking into account the amount of personal data collected, the specific purpose(s) of collection, how the data will be processed and shared and whether any less privacy intrusive alternatives are available;
- The quality of the personal data collected such that accuracy of these digital measures can be ensured;
- Whether the digital measures are implemented with transparency, accountability and full explanation;
- Whether the public will be given a free and informed choice of using these measures; and
- The period which these measures will be in place and for how long the personal data will be retained. Data should only be retained for so long as is necessary to achieve the purposes for which it was collected.
While privacy right is a fundamental human right, I reckon that it is not an absolute right and is subject to other competing rights and interests, such as the right to life and the interests of public health. Some jurisdictions such as the US health authorities and the Hungarian government adopt a relaxation or amendment of certain laws and enforcement policies to cater for unconventional uses of personal data in order to reduce the hindrance to pandemic fighting measures. Common practices include the temporary suspension of data subjects’ rights to notice and access data or the waiver for non-compliance with some legislation on the use and processing of health data.
On the other hand, in view of the increased collection and use of personal data and its impact on our daily lives, some authorities are moving in the other direction to tighten up privacy protection specific to the use of personal data during COVID-19. A good example here is the Australian government. Australia passed the Privacy Amendment Act in June 2020 to better protect and secure the personal data collected by the Australian contact tracing app. The legislation also specified that the data collected by the app could not be used to enforce other laws unrelated to contact tracing. Similar safeguarding legislative amendments are also being discussed in the US.
Back in Hong Kong, we have been fighting COVID-19 since late January 2020. The Hong Kong SAR Government has deployed various data-led measures to contain the spread of the virus, such as the use of “StayHomeSafe” mobile app for quarantine persons, launching an interactive online dashboard to keep the public informed of the spread of the virus, the use of the Major Incident Investigation and Disaster Support System (commonly known as the Supercomputer) to trace sources of infection and close contacts of infected persons. I observe that good efforts have been made to minimise personal data privacy intrusion.
Recently, to further strengthen the fight against the pandemic with the aim to resuming normal activities as soon as possible, I note that the Government has introduced or planned to introduce new initiatives. An example is a voluntary universal community COVID-19 testing programme with the aim of identifying asymptomatic cases. The much discussed introduction of a health code system allows those who have been tested negative for COVID-19 to travel from Hong Kong to Guangdong or Macao without being bound by the 14-day mandatory quarantine requirement imposed by the relevant authorities. In planning these initiatives, it is important to consider, and incorporate, the protection of personal data in the design of the programmes. These include, for example, that only necessary but not excessive personal data are collected; collection purposes, class of transferees, whether it is mandatory to provide the data, etc. have to be clearly specified in the personal information collection statement (PICS); the data subject has to be given the choice to consider the PICS and make an informed decision before any personal data is given and the express and voluntary consent of the data subject has to be obtained if the data is used for a new purpose. To ensure adherence to the data protection measures, well devised step-by-step procedures and proper oversight of the implementation details must be embodied as integral parts of the programmes.
– Ada Chung Lai-ling, Barrister
Privacy Commissioner for Personal Data Hong Kong