COVID-19: Conflicts between National/Public Interest and Individual Privacy

Why Contact Tracing?

Medical experts, thus far, have established that the COVID-19 virus is transmitted mainly via human-to-human contact. That is why a number of government authorities in countries such as China, South Korea, Taiwan and Singapore have embarked on a strategy of contact tracing aggressively so as to break the chain of transmission. Contact tracing involves systematically identifying and tracing individuals who have come into contact recently with confirmed or suspected COVID-19 cases. Once these individuals are tracked down, they will be advised or ordered to be isolated/quarantined in their own homes or at specified quarantine facilities for 14 days – the medically accepted incubation period of the COVID-19 virus in the human body.

For contact tracing to be effective in taking individuals out of the chain of transmission, it has to be carried out rapidly and expeditiously, lest these individuals who may be carriers of the virus begin to infect others in the community. This is because there could be carriers of the virus who are asymptomatic, i.e. they do not exhibit any symptoms of COVID-19 until the disease becomes full-blown in their bodies. The number of people they could potentially infect with the virus may run into 4 or 5 digits, especially in large sports, entertainment or religious events where attendees number into the thousands or tens of thousands.

It is thus a daunting task to try to do contact tracing manually, especially where large numbers of contacts are involved and time is not on the side of the contact tracers. That is why a number of government agencies have resorted to using tracking or surveillance technologies to augment the contact tracing process. Herein lies the dilemma for government authorities: while it is in the national or public interest to be able to trace and isolate/quarantine the contacts speedily and accurately, collecting detailed information on their movements and activities could be intruding into their individual privacy.

Contact Tracing Process and the Privacy Implications

Let us look at the contact tracing process to understand the privacy issues involved.

A. Identifying and Tracing the Contacts of the Confirmed or Suspected Cases

Contact tracing begins with asking the confirmed or suspected COVID-19 cases to recall where they had been over the past 1-2 weeks, who they had met, what they had been doing. It can be argued that such detailed information is necessary to identify and trace accurately all the contacts and that no one is missed out, for the good of the public. But, from the privacy point of view, such detailed information could reveal a lot about the movements and activities of the confirmed or suspected cases, which they would rather keep private to themselves. (In certain instances they would not even want their spouses or family members to know where they had been and who they had met and spent time with).

Even more privacy-invasive is the use of the following tracking or surveillance technologies, for example, to trace the movements (or digital footprints) of the confirmed or suspected cases:

• Via community-driven contact tracing. The Government Technology Agency of Singapore recently launched a mobile app called TraceTogether that enables participating mobile devices to exchange proximity information. If a person is infected with COVID-19, the Ministry of Health (MOH) would work with him or her to map out the past 14 days’ activities for contact tracing by granting MOH access to the TraceTogether Bluetooth proximity data.
• Via cellular networks to track mobile phones carried in the pockets (for males) or handbags (for females). In South Korea, this is taken to the extreme: when a new COVID-19 case is confirmed, all those people within the same neighbourhood will receive a government alert on their mobile phones, accompanied by a shrill emergency alarm, which details the new case’s age, gender and travel history.
• Via GPS to track mobile devices carried around by them. This has been implemented in a number of location-based services.
• Via the ubiquitous CCTV surveillance cameras located at public places or private premises
• Via CCTV surveillance cameras with facial recognition software. This has already been implemented in China on a large scale even before COVID-19.
• Via e-payment or point-of-sale devices that accept credit/debit/cash cards and pinpoint the locations of these devices

B. Disclosing Information About the Confirmed Cases

Once the affected individuals are confirmed as COVID-19 cases, the big question for the government authorities is whether or not to reveal their identities, for the good of the public. In the context of Singapore, the Ministry of Health (MOH) publishes the confirmed cases anonymously, so as to protect their privacy. Only the case number, age, gender, nationality, where the person has been to, where the person works, where the person lives (at the street level), where the person caught the virus (e.g. a retail shop, a company, a church, a dinner gathering), and links to previous cases, are published. Although it can be argued that such basic information would not allow any of the confirmed cases to be identifiable, there have been unintended consequences. For example, there have been instances in Singapore where individuals or their family members were stigmatised or ostracised once people came to know that they worshipped at the church or worked at the company with confirmed cases.

C. Isolating/Quarantining the Close Contacts

For close contacts of the confirmed COVID-19 cases, they will be issued with a home quarantine order (HQO) under the Infectious Diseases Act (for residents in Singapore). They are required to be isolated in their own homes and are not allowed to leave their homes for a period up to 14 days, just in case they become potential carriers of the virus or become infected with the virus themselves. The big question for the government authorities is how to enforce the HQO to ensure that the quarantined individuals do not flout the HQO by leaving their homes and thus causing a risk to the community. The way the Singapore government authorities do it is to call the quarantined persons at random timings to check on their body temperatures as well as to check whether they are in their isolated rooms (by scanning their surroundings with the camera on their mobile phones). This again could be privacy-intrusive if the quarantined persons are caught in embarrassing situations, e.g. lying on the bed or using the bathroom.

Worse is the use of such privacy-invasive technologies as the following to monitor the movements of quarantined persons:

• Via wrist-bands or leg-bands that can transmit signals wirelessly. The Hong Kong government has implemented electronic tracking wrist-bands that use geofencing technology.
• Via cellular networks to track mobile phones carried in the pockets (for males) or handbags (for females
• Via GPS to track mobile devices carried around by the quarantined persons
• Via CCTV surveillance cameras with facial recognition software

Striking the Right Balance

The COVID-19 pandemic has been most unprecedented and many countries are caught off guard.

Contact tracing seems to be an effective first line of defence to contain the spread of the disease and to minimise the harm to the physical health of the population at large. The dilemma facing government authorities is to what extent can personal data be collected, used or disclosed for rapid, comprehensive and accurate contact tracing without intruding into the privacy of individuals, especially with the use of tracking or surveillance technologies. And to what extent can government authorities demand telcos, Internet service providers and e-payment service providers to disclose the movement and location data of their customers. There has to be a right balance between serving the national and public interests in such a crisis situation and the privacy of individuals.

One practical rule of thumb is to abide by the principles as laid down in data protection laws:

• Be clear of the purpose why you are collecting, using or disclosing individuals’ personal data
• Do not collect personal data excessively, just enough for the stated purpose, bearing in mind that consent is not required in order to respond to can be waived under an emergency situation or for national/public interest
• Do not disclose personal data excessively, just enough for the purpose of disclosing the data to third parties
• Implement necessary controls and measures to ensure the security of the personal data
• Dispose of or destroy the personal data when the purpose is fulfilled.

Article contributed by William Hioe, CIPM, CIPT, CIPP/A, CIPP/E, FIP, GRCP