- Undermining the former risks damaging the latter
By Ramathi Bandaranayake and Ashwini Natesan
Efforts such as contact tracing and quarantine monitoring during COVID-19 have necessitated the extensive collection of personally identifiable information (PII). This includes name, sex, address, details of one’s close contacts, travel history, contact details, place of work, and information on symptoms of COVID-19.
While this data collection is necessary and important, questions about privacy and the protection of PII have emerged. Who collects the data? Once it is collected, who will have access to it? Is it ensured that data collected will be used solely for the purposes of COVID-19 response? How long will the data be retained? An ongoing debate worldwide over the course of the pandemic is how these two needs can be balanced.
Some argue that in the contest between privacy and public health, priority should be given to health. It is reasoned that in a life-threatening public health emergency, it is more important to combat the disease than to protect individual privacy. However, the choice between privacy and public health is not zero sum, and violations of privacy can in fact undermine the broader public health response.
For instance, it has been observed in Sri Lanka that the identities of COVID-19 patients and their families have been exposed on social media and in traditional media. The fear of this exposure, and the social stigma it entails, have led some to withhold information in contact tracing investigations. Others, in particular women, have been reluctant to give their details to the establishments and businesses they visit and public transport they use. Some have even reported receiving harassing calls after giving their contact details.
Furthermore, digital solutions such as the Stay Safe application have faced cybersecurity concerns. It was found that it was possible to check the COVID status of a given NIC via an API call (the ICT Agency of Sri Lanka (ICTA) later stated that the privacy concerns had been addressed). Such concerns could risk damaging trust in the app and make people more reluctant to use it.
Hence, violations of privacy can damage the wider public health response if people are reluctant to give their details or information on their whereabouts due to fear of harassment and stigmatisation. While balancing privacy and pandemic prevention is tricky, there are steps that can be taken towards this.
Firstly, stricter procedures and structures for the collection and governance of personal data could be instituted. When the COVID-19 outbreak began, it was a new, formerly unknown disease. Many of the procedures and instructions for the collection of PII in Sri Lanka during COVID-19 emerged in an ad-hoc fashion, through circulars and gazette notifications, and health workers had to evolve both formal and informal methods of information sharing somewhat spontaneously.
Policies such as the National Policy on Health Information (2017) and the National Digital Health Guidelines and Standards (NDHGS) Version 2.0 (2020) have been released. However, the NDHGS has not yet been implemented fully across the country.
The National Policy on Health Information provides broad strategies for storing, backing up, archiving, disposing of, and sharing data. However, while privacy and confidentiality are touched upon, roles such as data controller and data processor are not defined. Furthermore, the emergency nature of epidemic situations means that data collection needs are likely to be far more urgent and more intensive than in non-epidemic healthcare situations.
Sri Lanka does to yet have a personal data protection law in force. The text of the draft bill does allow the processing of “special categories of data,” which includes “data concerning health,” if needed to control or prevent communicable diseases and dangers to public health, without consent.
During the COVID-19 pandemic, while the need to protect the privacy of patients has been recognised and actions have been taken by health officials to do so in Sri Lanka, an overall governance structure for the collection and preservation of PII during epidemics does not appear to be in place.
A stronger specification of what kind of information should be collected, from whom it is collected, how it is collected, which authorities will collect and access the information, and for how long and where it will be retained, the format of the information, and the secure transmission of information, are needed.
Strict non-disclosure and use requirements should also be imposed on third party establishments required to collect personal information to avoid revealing information to those other than the relevant authorities, and to prevent information being used for purposes other than epidemic response. If digital technologies are being used, the creation of data governance structures and extensive testing for cybersecurity concerns should be required in advance.
Instituting these procedures will help increase trust with the public, since it will be clearly stated what information the public may be expected to provide and to whom they will be providing this information, together with assurances that this information will be protected. This could help allay some of the fears around stigma, harassment and cybersecurity, and make the public more open to providing information.
In some cases, due to the close-knit nature of communities, it is extremely difficult to keep the identities of COVID-19 patients and their families private – if an official were to visit the house of a patient, it is likely that the immediate community would come to know. While steps have been taken to protect the interests of citizens, more awareness and sensitising of communities are needed.
Risk communication activities to alleviate the stigma of COVID-19 are needed in order to protect patients and their contacts from stigmatisation and harassment. In addition, media ethics guidelines need to be followed when it comes to reporting on COVID-19 cases, so that the identities of COVID-19 patients and their contacts are respected and kept private.
While data collection is vital during a pandemic, it is essential that data governance mechanisms are put in place to maintain trust and make the public comfortable with providing the necessary information. Without these assurances, pandemic response plans themselves may backfire.
[Ramathi Bandaranayake is a Researcher and Ashwini Natesan is a Research Fellow at LIRNEasia, a regional digital policy think tank based in Colombo and active in the Asia-Pacific region. This op-ed is based on research supported financially by the International Development Research Center (IDRC).]