Data Governance: We must be careful how data is used in fighting COVID
Originally published in the Standard, April 3, 2020
Times of crisis require difficult trade-offs between competing public interests. On one hand for example, the government has announced a curfew as a means to working to halt the spread the COVID-19 virus, and on the other, there are challenges with contraventions of constitutional freedoms like the freedom of movement and association.
It is undeniable that fundamental human rights — the right to freedom of assembly, to liberty, and in some instances to due process — have to be balanced against the urgent collective need of society and countries around the world to flatten the curve of the virus’s spread.
This week, the Law Society of Kenya (LSK) has moved to court seeking the suspension of the dusk-to-dawn curfew. They also sought an order compelling Health Cabinet Secretary Mutahi Kagwe to provide more details on the country’s preparedness in tackling coronavirus as well as guidelines by the Interior Ministry on the conduct of police officers in enforcing the curfew.
The society says that the curfew is not only unconstitutional but also illegal, illegitimate and disproportionate because it is blanket and indefinite and goes beyond remit of the Public Order Act.
As the lines between the physical world and cyberspace have become ever more blurred in recent years, these public interest trade-offs now exist in the use of technology as a means to combating the dreaded virus. An emerging challenge is the balancing of data governance issues and the use of data to organise information to fight the spread of the virus.
CS Kagwe has on numerous occasions briefed the country that they are working with the ministry of the interior and security agencies to track the contacts of the positive cases – now numbering in the thousands. On at least one occasion he has mentioned that they are working with the mobile phone service providers – ostensibly to track the location and movements of persons of interest, so that they can secure them in isolation as quickly as possible.
The use of data in this way is currently understandable and even expected of the government because we must keep our people alive as a matter of priority. That being said, we must also be sensitive to the notion that for every positive application of a digital technology or dataset, there is likely to be at least one potentially negative and harmful application too.
In the context of COVID-19, we do have to push for greater public-private collaboration to help source data that can inform the response, including by promoting the use of potentially highly sensitive datasets or invasive surveillance technologies to improve efforts to contain and manage the pandemic or trace infected individuals. At the same time, dangers of experimenting with surveillance tech – not only the immediate risks to individuals’ privacy and data protection, but also broader dangers to society including the risk of normalising pervasive surveillance in everyday life.
Tom Orrell (pictured left) is one of the world’s most ardent data governance experts and Managing Director of DataReady and this week I engaged with him for thoughts on the five rules that we must keep in mind as we consider the question of data governance in this new “wild, wild west” that we find ourselves in.
(Read his full blogpost here)
First, we accept that in times of crisis such as this, the government has every right and responsibility to invoke emergency powers that will override personal freedoms and rights – especially the right to protect personal data from being processed without an individual’s express consent. The thing is, to legitimately use these powers, they should be clearly defined in law and be subject to democratic checks and balances across the executive, legislative and judicial branches of government.
Secondly, in agreement with the LSK, any use of an emergency power should be temporary, necessary and proportionate. ‘Temporary’ means that a clear deadline on the use of an emergency power should be given. ‘Necessary’ means that there is no other way to achieve a legitimate objective (e.g. tracing infected individuals during a pandemic) than to process personal or sensitive personal data. ‘Proportionate’ relates to whether or not data collected for a specific purpose is proportionate to the achievement of the legitimate aim it has been collected for. For instance, proportionality between the amounts of personal data collected and the public health goals of epidemiologists during the Covid-19 crisis.
Thirdly, only legitimate entities specifically authorised and vetted should exercise those emergency powers – especially with regard to by passing consent for processing personal data. In the context of COVID-19 this would likely be epidemiologists, medical professionals and other carefully vetted public officials. Any processing of personal or sensitive personal data that is conducted on a basis other than by informed consent of the data subject must be accompanied by an assessment of why it was not possible to obtain informed consent and how the processing meets the tests of necessity and proportionality.
The fourth rule is that private entities, big data analytics firms, data mining firms and other non-specialist entities do not have the right to collect, access or use personal or sensitive personal data without consent.Tom Orrell, Managing Director, DataReady
The fourth rule is that private entities, big data analytics firms, data mining firms and other non-specialist entities do not have the right to collect, access or use personal or sensitive personal data without consent. In such exceptional circumstances however, it may be necessary for them to do so to help achieve a public interest objective (e.g. flattening the curve of the Covid-19 pandemic). In such circumstances, any data collection must be temporary, necessary and proportionate.
Finally, a crisis such as this pandemic is never a time for experimentation based on the processing or use of personal or sensitive personal data by private entities. Legitimate entities such as the World Health Organisation (WHO), Ministry of Health officials and professional scientists, epidemiologists and researchers may utilise personal and sensitive personal data to model outcomes; so long as their purpose is legitimate and specific, and their processing meets the tests of necessity and proportionality.