COVID-19: Managing Data Ethics in a Pandemic

In times of stress, you don’t rise to peak performance, you fall to the level of your training. There is a global pandemic. There is quite a lot of stress about. Governments and public institutions are looking for technology solutions to help. Is a balanced concern for privacy and data ethics present in this time of urgent need? Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews the issues.

In 2018, the Privacy Commissioner published a report on an Ethical Accountability Framework promoting data ethics in industry[1]. Without waxing too lyrically, it was a compelling read. Here was Hong Kong looking past pure personal data protection, to a future where data processing in all forms needed a principle-based framework to ensure the digital dividend was fairly deployed and available in our society. It pointed to a trend in which principle-based rules (and ultimately laws) would govern advanced data processing techniques brought about by big data and machine learning.

The Framework is supported by a practical document showing a management structure to enable organisations to become effective data stewards, together with a model ethical data impact assessment protocol. The ethical data impact assessment is a process that looks at the full range of rights and interests of all parties in an advanced data processing activity and interrogates that activity to ensure those interests are properly taken into account. The process involves an assessment and balanced scorecard measuring benefits and risks. So, not only was the Framework a position paper propounding an evolution of data governance, it was also a guide on how to achieve that outcome organisationally. 

Since 13 March 2020, new arrivals to Hong Kong placed under mandatory quarantine have been given a wearable device on a wristband, each with a unique QR code, that links to an app called StayHomeSafe that must be downloaded on their phone, and paired. The app is activated and calibrated by walking around a location (such as an apartment) and mapping the unique signals around that area (WiFi, broadband, and so on). If those signals vary, it is an indication that the person is no longer in that physical environment, and may be breaching quarantine. This triggers an alert to the person, and to the government.

The Privacy Commissioner has stated he is satisfied that StayHomeSafe does not collect personal data, apart from the users’ phone number on registration. Also, the Chief Information Officer has confirmed StayHomeSafe has undergone a security and privacy assessment and audit before launch, and all data collected is stored on the Government’s private cloud and protected by multiple layers of defence to ensure information security. Unfortunately, these reports are not publicly available, the scope and extent of the assessment and audit have not been identified, and the persons conducting the assessment and audit have not been named.

This is not to criticise the approach to the introduction of StayHomeSafe, nor to challenge the basis on which it has been done. COVID-19 is a profoundly serious challenge to public health. There is no reason to doubt or question the statements made by the Hong Kong government.

StayHomeSafe is one of a number of technology solutions that have been adopted by governments around the world to combat the current pandemic. Technology solutions generally fall into three categories:

1. Digital contact tracing: Applications that assist with social distancing, contact tracing, and isolation of suspected or confirmed cases. Examples include StayHomeSafe in Hong Kong and BlueTrace in Singapore.
    
2. Symptom tracking: Applications that assist with surveys and symptoms tracking. An example is the COVID Symptom Tracker used in the UK and the US.
    
3. Immunity certification: Applications that establish and certify immunity, for which there will be a longer lead time for development.

Many of these solutions pose a challenge to personal privacy. It is a complex situation. Privacy is not an absolute right. The privacy rights of the individual must be balanced against the interests of society – and the health and wellbeing of people in society is as important a public interest as one can imagine.

Nonetheless, there are concerns about digital contact tracing applications in particular. There are technical limitations to some applications, and a lack of evidence to demonstrate they support the scientific purpose for which they are being used. This could lead to public mistrust of the applications, which might defeat the public interest being served. This risk is increased if use is mandatory, or there is no sunset expiry for stopping use. In time, legislation will be needed to regulate data processing in symptom tracking and digital contact tracing applications. Issues such as purpose, access and time limitations need to be addressed.

It is interesting to view the introduction of StayHomeSafe in the context of the Framework co-authored and promoted by the Privacy Commissioner. This is an ideal situation where an ethical data impact assessment should be conducted. Perhaps time did not permit at the time of introduction (and that is understandable), but it could still be undertaken on an “after the fact” basis. Also, it would demonstrate the transparency required at the heart of the Framework if the results of that assessment were made public. Perhaps this could be a spur to the engagement with organisations in Hong Kong to take ethical data stewardship seriously.

If you would like to discuss any of the matters raised in this article, please contact:

Eddie Look Partner | E-mail

Tim Drew Partner | E-mail

Edmond Leung Partner | E-mail

River Stone Partner | E-mail

Pádraig Walsh Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

  [1] See this link