Data Protection During a Pandemic – African DPAs Respond
In an attempt to curb the COVID-19 pandemic, governments are using citizens’ personal data by collecting health data and contact information of people suspected to have been infected by the virus. This has led to countries adopting contact tracing measures which involve the surveillance of citizens through the collection of personal data at checkpoints, hospitals, workplaces and from electronic communications service providers.
Contact tracing involves the development and maintenance of a database containing the personal data of persons who are known or reasonably suspected to have come into contact with any person known or reasonably suspected to have contacted COVID-19. This information usually includes the names, identity numbers, residential address and other address where the individual could be located, as well as, cell-phone numbers of all persons who have been tested for COVID19 or the people they may come in contact with.
In addition, a number of countries have directed electronic communication service providers to provide the location or movements of any person known or reasonably suspected to have contracted COVID-19. This collection and processing of personal data is regulated, not only in terms of data protection laws in different territories but also also in international law; such as Article 12 of the United Nations Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights. Generally, the right to privacy entails the protection of persons from arbitrary interference with their privacy, family or correspondence. This right also protects persons from attacks on their honour and reputation.
Nonetheless, the United Nations Secretary General, Antonio Guterres, advised that the severity of the COVID-19 pandemic justifies the limitation of rights such as the right to privacy, in order to curb the spreading of the pandemic. Additionally, member states were encouraged to adopt responses that are proportionate to fighting the pandemic while retaining the trust of citizens. Accordingly, several Data Protection Authorities (DPA) in Africa have responded to the use of contact tracing within their respective territories. In a nutshell, the DPAs provide that the pandemic calls for certain limitations to data privacy in an effort to flatten the curve and curb the COVID-19 pandemic. However, limitations on the right to privacy should not be disproportionate to the intended purpose of curbing the virus and the limitation should only endure for the period of the pandemic.
Below are some of the detailed responses from specific DPAs in Africa:
Burkina Faso’s Commission de l'Informatique et des Libertés (CIL) response to the COVID-19 pandemic and the use of contact tracing measures, noted that health data is qualified as sensitive data under the Personal Data Protection Law. However, the Personal Data Protection Law provides for special circumstances when personal data and sensitive data may be processed for the protection of the population. In its message, the CIL stated that it undertakes to support the Burkinabe government by helping and facilitating the rapid and secure sharing of personal data to fight COVID-19. The CIL, however, recommended that human rights should be respected in the processing of personal data.
South Africa’s Information Regulator issued a Guidance Note in response to the Track and Trace Regulations issued in terms of the Disaster Management Act, 2002. This comes although the Protection of Personal Information Act, 2013 (POPIA) is not fully in effect. In the Guidance Note the Information Regulator recognised the need for the effective curbing of COVID-19 infection rate curve, tracking and tracing of infected persons and potentially infected persons is imperative. This, therefore, calls for the limitation of certain rights such as the right to privacy.
The Information Regulator's Guidance Note encourages proactive compliance with POPIA, in spite of it not yet being fully in effect. Accordingly, the Information regulator stated that consent to be tested for COVID-19 may not be refused, also should a person test positive for COVID-19, this should be communicated to the relevant authorities. In addition, employers can force employees to undergo testing in order to maintain a safe working environment and employers may request specific information on the health status of an employee in the context of COVID-19. Furthermore, electronic communications service providers may provide location-based data to the government for the purposes of managing the spread of COVID-19.
Generally, the Guidance Note states that privacy of health information insofar as it relates to COVID-19; and your location data must be limited under the circumstances. Further, the processing of personal data relating to COVID-19 and fighting it should be done in terms of the processing of personal data principles contained in POPIA, these include: accountability, purpose specific processing, limitations placed on the processing and further processing of the personal data, adequate safeguards should be in place and the retention and restrictions placed on the database should be observed.
In addition to the Information Regulator's Guidance Note, the Department of Co-operative Governance and Traditional Affairs Amended Regulations pursuant to the Disaster Management Act, 2002, amended its Regulations to provide for Contact Tracing and also provided binding Regulations for the processing of personal data for the duration of the national state of disaster in South Africa.
The Regulations provide that the information forming part of the COVID-19 database is confidential and may not be disclosed without authorisation, unless the disclosure is necessary for fighting the spread of COVID-19. Also, this personal data is to be collected for a specific duration and to be de-identified (if it will be used for research, studying or teaching purposes) or deleted within 6 weeks of termination or lapsing of the National State of Disaster. In addition to the Regulations and to provide for oversight of the Contact Tracing, a designated Judge has been appointed, in terms of the Regulations. The designated Judge is to be furnished with a weekly report from the Director General: Health setting out the location information obtained from the electronic communications service providers. Furthermore, the designated Judge may prescribe further steps to ensure the right to privacy is protected.
The Data Protection Office (DPO) issued a Guide on Data Protection for Health data and AI in the Context of the COVID-19 Pandemic on 17 April 2020. The DPO noted that data protection rights are not absolute and can in no way be a barrier to saving human lives, however, the fundamental rights to privacy and data protection are still applicable. Accordingly, a number of considerations should be taken into account when developing contact tracing apps. Depending on the methodology being used and other factors which may include:
Whether the App is a completely decentralised system where personal data is stored on the personal mobile which is controlled by the citizen.
Whether the processing is totally anonymous.
Whether the App will allow the user to voluntarily disclose information if he has contracted the v.irus
The DPO also provided that employers may share employees' health details to the authorities or the Ministry of Health for treatment/health purposes. In addition, employers have a legal obligation to ensure the safety, health, and welfare of employees at work as is reasonably practicable under the Occupational Safety And Health Act, 2005. Thus, employers can rely on the exceptions set out in section 28 (1)(b)(ii) as well as section 28 (1)(b)(vii), which read together with section 29 (1)(d)(ii) and section 29 (1)(d) (iii) of the Data Protection Act, 2017 (DPA) allow the processing of the personal data in relation to COVID-19 as long as it is in the legitimate interest of the employee.e
The DPO also provided guidance on instances when employees have to work from home, including:
The employer should implement a procedure i.e. a remote working policy to outline clearly the conditions of remote work including the responsibilities of the employees.
The rules of data (including personal data) protection should be clearly stipulated in the remote working policy. In other words, the policy should cover the following matters: where the employees may take the computer and the employer’s documents, what kind of IT solutions can and must be used, where and how the documents must be kept and how to act when there is a risk of data leakage or a leak has occurred. Also, employers may request employees to sign a confidentiality agreement.
As per section 31 of the DPA, a controller or processor shall, at the time of the determination of the means for processing and at the time of the processing implement appropriate security and organisational measures. Thus, employers will need to ensure that:
Strong password systems are implemented and enable two-factor authentication, for additional protection
Reduce the number of login attempts to 3 attempts before blocking the login screen.
Proper access control is provided to each employee – employees should have access to only data that they need in order to do their job.
A Virtual Private Network (VPN) should be implemented to securely connect to a network for working remotely.
Employees should be informed via the policy that using public Wi-Fi (in a café, shopping centre, amongst others) is not permissible. In cases where employees have no other option but to use an unsecured network, the employer should make sure the employees use a VPN and limit file sharing.
The DPO further provided that the processing of personal data and special categories of personal data, by AI driven technologies, must not distort an individuals’ fundamental rights to privacy. It encouraged that responsible use of AI technologies be adopted. The DPO listed the following different ways that can ensure responsible use of AI in line with the basic principles of the DPA:
Data anonymisation techniques - The use of anonymisation techniques must be encouraged when deploying AI solutions. The processing of anonymised data enables the study of the movement of large groups in a more general way;
Pseudonymisation techniques - Instead of capturing the exact identity of individuals and making it available to others especially for a COVID-19 positive patient, algorithms that use pseudonymisation must be encouraged so that relevant information is made available but which does not directly reveal the identity of individuals;
Purpose limitation - All personal data processed in the context of the spread of the COVID-19 and public health must not be re-used later for other incompatible purposes;
Transparency - The automated processing of data by AI solutions must be transparent to individuals. Individuals must be provided with sufficiently comprehensive information to understand the reasons for any decisions derived from the processing of their personal data by AI means;
Right to be informed - Individuals must be informed of the types of data being collected, the purposes of the processing, the organisations who will use the data and with whom it will be shared with, the duration that the data will be stored and whether the processing of his/her personal data is voluntary or mandatory; and
Time limitation - Although the battle against the COVID-19 is still ongoing and not yet to an end, it is vital that authorities work back and re-assess the technologies deployed at the end of the battle so that any undue infringement to the rights and privacy of individuals do not become the norm of future processing.
Finally, under section 43 of the DPA, any person who commits an offence for which no specific penalty is provided or who otherwise contravenes the DPA shall, on conviction, be liable to a fine not exceeding 200,000 rupees or imprisonment for a term not exceeding 5 years.
The Ministry of Health requested that the Commission de Protection des Données Personnelles (Personal Data Protection Commission) (CPD) publish guidance on the implementation of e-health and location tracking measures during the pandemic. The CPD, accordingly, issued a Media Release on COVID-19 and digital tracing in Senegal. In its Media Release, the CPD noted that measures implemented for identification and monitoring of infected individuals (or those at risk) must be strictly limited to what is permitted under Loi sur la Protection des Donnees a Caractere Personnel (Personal Data Protection Law). Further, these measures may only be implemented for the strict purposes of preventing transmission of the virus.
The CDP requires strict compliance with the following principles:
The processing of health-related data (of individuals being monitored) may only be conducted by health professionals.
Only a limited number of duly authorised persons (who have signed a confidentiality agreement) may process data related to the identification and location of monitored persons.
Data collection must be strictly limited to persons identified by the authorities who are in direct contact with infected persons.
Data collection must be strictly limited to that which is necessary for identifying and locating infected individuals.
Data may be retained only for the period necessary for the provision of healthcare and must be automatically destroyed once the purpose for which it is collected expires.
Where data is retained for the purposes of legitimate scientific research, it must be anonymised in an irreversible manner. The CPD will assess the data anonymisation process before the data is used for scientific research.
All data security measures (technical and organisational) must be strictly implemented.
The CPD’s media release also emphasised that the government must favour the least intrusive measures to protect the right to privacy. The CPD indicated its willingness to collaborate with the authorities and citizens in the fight against the pandemic while also upholding the rule of law and individual liberties.
Mali’s Autorité de Protection de Données à Caractère Personnel (APDP) issued a warning on 1 April 2020 on the collection of personal data and the protection of people's privacy. In its statement the APDP stated that to curb COVID-19 personal data belonging to possible carriers of the virus and those they have come in contact with, is being collected. The APDP warned the public that such data constitutes sensitive data, the processing of which should be done in strict adherence to Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data (Data Protection Law).
In its statement the APDP reiterated that in terms of the Data Protection Law, during an epidemic, health data can only be collected by health authorities. Thus, the evaluation and collection of data relating to persons suffering from or presenting symptoms of COVID-19 and information on the recent movements of certain persons, are the responsibility of health authorities and other public authorities equipped and mandated to deal with a health pandemic and also bound by professional secrecy. Consequently, unauthorised individuals are strictly prohibited from collecting or publishing, in particular on the internet and social networks, the personal data of the persons affected and their possible contacts. The APDP further warned that individuals who do not adhere to the provisions of the Data Protection Law may be liable to financial and criminal sanctions provided for by the Data Protection law and the Penal Code.
The National Commission for the Regulation of Personal Data of Morocco (CNPD) issued a Statement on 22 April 2020, in which it informed the public that it established a working group to assess the government’s tracking programme instituted to contain COVID-19 in light of personal data protection principles. The working group reached the following conclusions:
The collection and processing of personal data is lawful where it is based on the public interest.
The collection and processing of personal data is minimal and proportionate to its purpose.
The impact of the collection and processing of personal data should be minimal and proportionate in relation to its effect on privacy. It must also be proportionate in relation to government measures to protect public health.
Security officials involved in the collection and processing of personal data may not permanently record the data and it should not be accessible to them at a later time. The data must be destroyed once the public health emergency has ended.
The Instance Nationale de Protection des Données Personnelles (INPDP), recognised the need to collect personal data to curb the spread of COVID-19. The INPDP stated that in principle, data protection does not prevent entities from collecting personal data to curb the spread of COVID-19, however, according to Article 49 of the Constitution of 2014, the collection of personal data to curb the spread of COVID-19 should be done reasonably, ensuring that the collection is not in excess of the reason for collection. The Tunisian government is encouraged to ensure and respect democracy, the rule of law and human rights, including the respect for privacy and protection of personal data.
Under the Act on the Protection of Personal Data, 2004, Article 62 prohibits the processing of health data, save when it is necessary for the development and protection of public health. The INPDP also noted that working from home is a favoured alternative during the pandemic. This means that there is personal data that is being collected by the platforms that are being used. The INPDP has encouraged these platforms to respect personal data.
In addition, telecommunication companies, online platforms and internet service providers that are actively participating in the fight against the spread of Covid-19 by sharing personal data with the government, should do so with the right to privacy in mind. In light of the principles of precaution and proportionality, pre-testing in different solutions should also be recommended, as is currently the case for various drugs tested in clinical trials. If information in real-time spread of the virus can help isolate it should be emphasized that the least intrusive solutions should always be prioritised.
In addition,, with the increase of online education, schools and universities were advised to make use of the least intrusive software that does not infringe student's rights and should avoid processing more personal data than necessary to achieve the legitimate goal of continuing education. The INPDP also advised of the importance of providing parents with transparency regarding the processing of their children's personal data.
The INPDP, also, reminded citizens that personal health data cannot in any circumstances be published on social networks. The INPDP appeals to citizens and even more to public decision-makers to limit the use of these modern means of communication when they are mainly going to transmit or make personal health data public.
Finally, the INPDP stated that the health and personal data being collected during the subsistence of the pandemic should be destroyed after the pandemic. Moreover, in Article 26 of the Act on the Protection of Personal Data, a data controller must inform the INPDP of the end of processing of the data. The same provision gives the INPDP the power to take the necessary decision on the fate to be reserved for this data.