Data-Driven Responses to the Coronavirus Pandemic and the Privacy Implications
Many states are using data in innovative ways to tackle the spread of the coronavirus. From track and trace capabilities to the use of telecommunications data for quarantine enforcement, we highlight some of these data-driven national responses and discuss potential implications.
Technology is an important enabler in fighting disease, and the collection and analysis of data is a crucial part of that fight. Looking at case studies from Taiwan, Singapore, South Korea and Israel, we reveal how, even among democratic countries, some data-driven coronavirus interventions are more intrusive than others. All four countries have previously been criticised for pushing the boundaries on privacy rights.
In Singapore, Taiwan and South Korea, preparation and prior experience has informed the development of sophisticated tech-driven responses to the coronavirus pandemic. Owing to previous pandemics, like Severe Acute Respiratory Syndrome (SARS) in 2002–3, Swine Flu in 2009, and Middle East Respiratory Syndrome (MERS) in 2015, these three Asian countries had already reassessed their public health approaches. They have since been presented as a model to contain and delay the spread of the virus.
The UK government, in partnership with NHSX, the innovation arm of the NHS, are building an app to alert users if they are too close in proximity to someone with coronavirus. Understandably, this may raise concerns about privacy, and the extent to which the public will receive transparent information during a fast-moving national crisis. Containing and delaying coronavirus will demand innovative and at-pace interventions, many of which require detailed personal data. Many existing safeguards, including GDPR data privacy regulations, include exemptions for national security, which may be used in any coronavirus-related measures. Therefore, governments should carefully consider the information and capabilities they need to address the coronavirus challenge, and the extent to which they can be implemented while adhering to the spirit of existing privacy safeguards.
Taiwan
The Taiwanese government is vigorously using technology to contain the threat of infection. Soon after the outbreak began, the Taiwanese government linked data from national health insurance datasets with the immigration and customs database to provide automated alerts to those who may be at risk. The government then analysed data from citizens’ 14-day travel history to identify at-risk travellers. In addition to temperature monitors already in airports from 2003, passengers from abroad can also scan a QR code to report their travel history and health symptoms directly to Taiwan’s Centre for Disease Control. The location of passengers coming from at-risk areas is then monitored via their mobile phones to ensure compliance with quarantine measures. The government also tracks individuals who initially test negative in order to re-test at a later date.
Singapore
Singapore’s Personal Data Protection Commission recently loosened its regime to enable organisations to collect, use and release personal data relevant to coronavirus contact tracing. This has enabled a wide-ranging set of measures. The Tan Tock Seng Hospital Operations Command Centre, opened in 2019, now collects information from multiple hospital systems to coordinate coronavirus containment, particularly cases of surge demand. Using a Real-Time Location System (RTLS), the Centre enables live tracking of patients, visitors and staff, including staff hygiene. The data also supports an algorithm-based decision system for allocating hospital beds.
The government has also launched an app, TraceTogether, that uses Bluetooth technology to identify individuals who have been near coronavirus patients. According to the app, it does not collect geolocation or personal data other than users’ mobile numbers, but only records users’ proximity to others. Data is stored on the users’ phone for 21 days and logs will not be shared without a Ministry of Health request. The Singaporean government is also using a database of public contact information to trace exposure, with police in some cases using CCTV footage, data visualisation, credit card transactions, and travel records from known cases. This includes ride-sharing or taxi booking apps. It then uses GPS updates to track individual compliance with quarantine measures. The public also has access to an interactive map of all confirmed cases.
South Korea
The South Korean government has taken a multi-pronged, data-driven approach to tracking and containing coronavirus. Quick implementation of large-scale rapid testing fed huge quantities of data into a monitoring system. This has allowed authorities to track clusters of infection and accurately calculate the disease’s mortality rate. Furthermore, South Korean health authorities have access to data from surveillance cameras and credit card transactions to retrace the steps of those infected. They can use this data to alert others who may have been exposed.
The government has also introduced a ‘self-quarantine safety protection app’ that quarantined individuals can use to complete mandated check-ins with their government-assigned caseworkers. Once downloaded, the app also enables the government to use GPS tracking to ensure quarantined individuals do not leave their designated area. Furthermore, the government launched the Corona100 app that alerts citizens when they come within 100 metres of a confirmed coronavirus sufferer and an app to inform citizens about the availability of protective masks.
South Korean citizens are also leveraging technology to increase public awareness. Examples of civilian-developed websites and apps include Coronamap, which map the travel histories of confirmed victims, or Coronaita, a search engine for information on areas with cases of coronavirus. Despite the apps’ utility, they have prompted social concern about public shaming and isolation for sufferers of the virus. In addition, civilian-developed apps raise questions about data sourcing and reliability. Nonetheless, there appears to have been no public outcry in reaction to these potential privacy violations.
Israel
The Israeli cabinet passed an emergency decree allowing special measures for 30 days. This includes using mobile phone data originally intended for counterterrorism purposes that tracks individuals’ movements. Israel’s internal security agency, Shin Bet, which has been collecting the data since at least 2002, has not clarified exactly what the dataset contains. However, it will share data with the health ministry to enable them to track those infected with coronavirus. The ministry will then work with police to identify and notify anyone previously exposed to infected individuals. It is unclear whether the data will be used to ensure that infected individuals follow quarantine measures.
The emergency decree and the way in which it was implemented have generated controversy. The Israeli parliament, the Knesset, said it needed more time to review the measure. However, Prime Minister Netanyahu and his cabinet bypassed Knesset approval to pass the measure. Netanyahu argued this action was necessary to save lives and Shin Bet assured citizens it will not store the data in Shin Bet databases. Israel’s High Court has acted to restore Knesset oversight. However, many in government and civil society remain concerned about Netanyahu’s actions and Shin Bet’s expanded access.
Policy Principles
While the full impact of data-driven approaches to coronavirus will not be clear for many months, the countries above have received praise for their effectiveness in the prevention of the spread of coronavirus. However, to address any concerns with data and privacy during national crises, policymakers should consider the following principles when rolling out tech-driven measures. Â
The first principle is data minimisation. Governments should only collect data deemed to be absolutely necessary and directly related to the fight against coronavirus. Governments should develop these capabilities within the spirit of GDPR, irrespective of any reliance on national security exemptions. For example, as countries across Europe look at implementing their own data-driven monitoring tools, multiple mobile operators have offered to share anonymised data sets to help governments map the virus’ spread and monitor citizens’ movement. Sharing this data without releasing individuals’ data presents one possible means to manage coronavirus while maintaining personal privacy. However governments are still debating whether they need more access than these anonymised datasets can provide.
A second principle relates to the collection and storage of data and citizens’ right to be forgotten. Governments should be transparent about how long data will be collected and stored and if citizens can request the right to be forgotten. For European governments, the use-by-date limitation on data is essential to protect the privacy norms established through GDPR. Measures to address coronavirus may remain in place for several months and one risk is that some governments may be reluctant to give up powers once they expire. Strict ‘sunset’ clauses on the governments’ ability to collect data and independent oversight are critical to manage this risk. In the UK, the Centre for Data Ethics and Innovation could be involved in reviewing the use of data to ensure the ethical application of any measures. Currently, the Information Commissioner’s Office (ICO) has told the UK government they may use mobile phone data to track the spread of coronavirus provided they use anonymised data sets and comply with existing privacy laws. The ICO has also opened a Data Protection and Coronavirus Information Hub to provide guidance to citizens and businesses on protecting their data.
Finally, secure data storage should be prioritised to ensure that vulnerable people suffering from the pandemic do not fall victim to cyber-enabled or cyber-dependent crimes. Authorities could include privacy-by-design principles to limit the type of data that is stored. Moreover, there should be clear guidelines about who can use coronavirus-related data, and strict rules around access management for individuals and organisations.
Data-driven approaches may be an effective tool in monitoring and managing the outbreak of coronavirus. Governments may need unprecedented powers to address an unprecedented threat. For some states, there is little reason to doubt their assurances around respecting data privacy and limiting their access to these capabilities. Nonetheless, in the UK, civil society must. The UK government should also clearly communicate why any new measures are necessary and proportionate. Finally, this unique situation, and government’s unique needs, make it critical to ensure the appropriate independent oversight is in place and clearly define the timelines within which government can collect and store this data.
Regardless of any legal differences relating to data-driven responses to pandemics, the coronavirus pandemic highlights the increasing importance of established frameworks for using technology and data-driven methods during low-likelihood, high-impact events. UK policymakers will have to think carefully about what is realistic in the next few weeks, months, and beyond.
The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.
WRITTEN BY
Sneha Dawda
Rebecca Lucas
Former Research Analyst