Personal privacy – Does the pandemic change the rules?
It is helpful to explore this dilemma a little bit further. Rules and legislation around the right to personal privacy is at the heart of our standing and relationships within communities. Given the extent to which the use of devices is now ubiquitous, as well as the potential for data associated with these devices to identify individuals and when aggregated with other data, to provide a fuller picture of an individual’s habits, the fact that there is strict legislation controlling this is a positive factor.
In different jurisdictions, there are different rules that manage these data flows. In the US it’s Health Insurance Portability and Accountability Act (HIPAA), in the European Union it’s the General Protection Data Regulation (GDPR) that regulates the use of data and this is mirrored to a greater or lesser extent in most of the other countries in the world. While the interpretation of data legislation is often a contentious issue, and in places there are instances where it impeded, not assisted data transfer, the mainstream judgement is that these rules are worthy as they protect us, the citizens, from the indiscriminate use of our data by everyone from major corporations to governments.
The pandemic does introduce another dimension into this discussion, however. It is widely acknowledged that for effective management of outbreaks, it is necessary to identify, then track and trace every individual who is potentially at risk of developing COVID-19, specifically when individuals could well be shedding virus and be infective prior to the development of symptoms. In looking around the world at which countries have been particularly successful at managing the first wave of COVID-19, they tend to be ones which instituted processes around test, track and trace early and comprehensively. To do this with the requisite speed and scale, it is beneficial to use electronic means to contact trace, as happened in Taiwan, South Korea, Singapore and a host of other countries.
The implication is that people’s right to personal privacy around data is then secondary to the right of citizens to be protected from a contagion. These dilemmas are not new in medicine. Patient confidentiality is sacrosanct in medical practice unless there is a duty to protect others that could be harmed. There is even a process to notify authorities of diseases which have the propensity to infect populations quickly, like typhoid and conditions such as yellow fever.
There are some sound principles, however, that could be deployed to try to ensure as much confidentiality and privacy as possible to the citizen, while satisfying the need for public health systems to perform the functions they need to implement, to limit the spread of contagious disease. These include:
1. Safeguarding privacy
There are various initiatives available today which make it possible to preserve privacy and ensure there is no potential for data to be misused. The most topical one is the Apple, Google initiative. This is a process where data is never centralised, lives on your phone, is automatically erased and cannot thus be misused, even being inaccessible to others by court order. This initiative has now become the basis for a whole group of countries within the European Union and beyond and it’s an unusual example of major corporations working together for the common good. It is still unclear whether the applications produced will afford the citizens enough confidence that large enough numbers will download them and make the apps useful.
2. Sunset clauses
Unless one is using the decentralised methods described above, it is helpful to have enacted a “sunset clause” in legislation to ensure personal data will no longer be available once the emergency of the pandemic is over.
3. Secondary use of data legislation
This is always a contentious subject but there are examples of countries that have found solutions to utilise aggregated databases. FinData, the Health and Social Data permit Authority in Finland is noteworthy in this regard as an example of transparency and excellent practice. Set up in 2019, it regulates the use of data stored by various other national controllers including private controllers and stored in Kanta services (as of 2021).
South Korea has much to teach us here. Following the MERS coronavirus outbreak in 2015, legislation was implemented only to be used in a pandemic emergency, then rescinded. This legislation really changed the existing strict data guardianship rules when implemented as it allowed for an extremely comprehensive strategy for contact tracing, whereby anyone who has interacted with an infected person is traced and quarantined. This included allowing access from credit card companies, and location from cell phone carriers. This was implemented as soon as the pandemic reached South Korea, and together with other robust measures successfully protected the population from the first wave.
5. Establishing trust
This is the most valuable of all the principles and the most difficult to maintain. Populations tend to be compliant with requests from governments if significant trust exists between the citizen and the government. This is supported by a well-developed communication strategy underpinned by the use of transparency in the way data is presented.
The balance of views suggests that we are likely to see a second wave and it is essential we prepare for the second wave to ensure we manage to shield our populations better. These debates around privacy and the duty of each citizen not to harm others through contagion should be taking place now if they have not taken place previously, as this will enable us to be in the optimal place when and if the second wave strikes. We must use this time wisely.