Opinion

Privacy amid a pandemic


How much of our personal data should be shared to stop the spread of COVID-19? Lawyer Anna Zam takes a look at what's happening in New Zealand, Australia, and Asia during the pandemic.

COVID-19 has sparked debate on a global scale as to how much personal data we ought to trade for the public interest of health and safety.

This question is not necessarily unique.

In the late 19th century, John Stuart Mill posed something similar in his treatise, Of the Limits to the Authority of Society over the Individual,when he asked: “how much of human life should be assigned to individuality, and how much to society?”

However, unlike the context in which Mill was speaking, COVID-19 is an exceptional set of circumstances. Desperate times may call for desperate measures, especially given the World Health Organisation officially declared the virus a pandemic on March 11

frank busch ChDWtI3N9w4 unsplash 1How much privacy should be given up during a time of crisis? Photo: Photo by Frank Busch on Unsplash

Amid the unfolding COVID-19 situation, New Zealand’s Privacy Commissioner has published some guidance around privacy concerns.

Namely, he has confirmed that the Health Act allows a medical officer to disclose information about individuals who pose a public health risk to agencies.

And even if you are not a medical officer, you may use or disclose personal information (such as ‘so and so has symptoms of the dreaded virus’) where you believe that such use or disclosure is necessary in order to prevent or lessen a serious threat to public health or safety.

For instance, an employer may be justified in telling their staff that they may have been in contact with a potential carrier if someone was positively diagnosed with the virus, so that others may be tested.

The balancing rule here is that while personal information regarding someone’s medical situation should always be private, this could be overruled if there is a public health risk.

Similarly, the Office of the Australian Information Commissioner also provides for this and further advises that the private sector should ensure other personal information, such as “where employees are working remotely”, is kept private.

If nothing else, COVID-19 has strengthened the link between public data systems and private sector data collection. 

74591594 2477694499152698 5871203002093666304 n2Anna Zam attended the Council of Europe's World Forum for Democracy in Strasbourg in late 2019 and participated in plenaries and panel discussions involving privacy.
Photo: Anna Zam/Supplied 

What if private companies mine publicly available data, such as social media accounts, to detect the spread of the virus? Is this OK given the data is no longer ‘private’? 

Would it be OK if this was done in a public-private collaboration, involving the analytics of aggregated data collected by the private sector but analysed by governments?

These privacy principles do not sound drastically different to those in the Peoples Republic of China (PRC). According to the PRC Law on Prevention and Treatment of Infectious Diseases (2013) and the Emergency Regulations on Public Health Emergencies (2011), cooperation with the state to prevent and control the virus is mandated. 

Despite this, under the PRC’s national-level Personal Information Security Standard, China has taken steps to protect its citizen’s personal information.

Guidelines under the PRC Cybersecurity Law (2017) also require that any collection of personal data must follow the principles of legitimacy, properness and necessity, and be known and agreed to by the person.

Therefore, unless the company has been authorised, or requested by the PRC National Health Department to collect COVID-19-related information, employers should not force an employee to provide this medical information.

That is not to discount that other freedoms of speech are still very much restricted in China.

But if it is true that China is at the forefront of efforts to contain the spread of the virus, would citizens be more willing to relinquish greater amounts of private information, in order to hurry along the isolation period? 

clique images ImWVsIHiEWI unsplash 1Some countries, such as Singapore, are using apps to help with tracking and social distancing. Photo: Photo by Clique Images on Unsplash

Other countries in Asia are varied in their approaches to this larger debate. 

Would it be OK if the government collected aggregated personal data to empower each of us to protect ourselves?

South Korea is an example of this. It has provided highly detailed information about the location and movements of infected persons so that other citizens can avoid certain locations.

But if the information is too specific, it is not hard to imagine that too much detail could lead to identification and subsequent harm if it fell into the wrong hands.

If individuals volunteer their personal data for such purposes, does this render the debate moot?

Singapore has developed an app called TraceTogether which uses Bluetooth signals to identify when other phone-users are within two metres of each other. The design of the app includes privacy protective measures.

New Zealand and Australia have not yet shown a comparable experience of tracking and tracing the spread of the virus. However, time will tell an appropriate balance between measures taken by the public and private sector to address the pandemic, and proper respect for civil liberties such as our prized privacy.

Where do you think a correct balance lies?

- Asia Media Centre