How to lift information out of lockdown and guard fundamental rights
Lessons from RightsCon 2020 Strategy Session on the public, the private and our rights in the time of Covid-19
By Ania Calderon, Executive Director at Open Data Charter
and Helen Darbishire, Executive Director at Access Info Europe.
With ideas and editorial input shared by Fernanda Campagnucci, Executive Director at Open Knowledge Brazil, Maria Paz Canales, Executive Director at Derechos Digitales (America Latina), and Viola Ochola, Manager, Legal and Advisory Directorate at the Commission on Administrative Justice (Kenya).
The World Health Organisation is now calling for rapid data sharing as the basis for public health action. It is clear that open data is an essential tool in fighting the pandemic. Yet, with growing concerns about the increased collection and use of personal health data, there is also a need to strengthen efforts to balance access to public health data with protection of privacy, particularly given that a person’s health data is recognised as sensitive information which merits high levels of protection.
Access Info Europe and the Open Data Charter have been exploring how governments can strike the right balance between transparency and privacy.
At RightsCon 2020 we co-hosted a discussion on the importance of knowing how data is collected during a crisis like the pandemic, and subsequently how we can make it open while ensuring both the public’s safety and privacy. We looked at real-life cases from around the world, discussed them, and developed a series of conclusions and recommendations for next steps:
Case 1: How Privacy Rights Were Threatened in Kenya
Viola Ochola, Manager at the Legal and Advisory Directorate at the Commission on Administrative Justice (Office of the Ombudsman) in Kenya, shared a recent case where the Ombudsman received a request from a private citizen for the review of a decision denying him the name and location details of people who were known to have been in contact with individuals who had tested positive for Covid-19.
It was argued that many were not self-isolating as per the Covid-19 protocols and that the release of their personal information was necessary to allow others to protect themselves from those infected. It was also argued that the publication of this data would help law enforcement agencies track people. In this instance, the Commission had to consider how to balance the protection of public health with the individuals’ right to privacy. At the time of the RightsCon session, the Commission had still not issued its ruling, and it was recognised that comparative case studies from other Information Commissioners around the world would be valuable to share.
Viola did, however, comment that to avoid a situation where public health overshadows the individual’s right to privacy, service delivery structures within the responsible institutions (Ministry of Health, Law Enforcement Agencies) must be strengthened in order to provide seamless and efficient service to the citizens. This would minimise gaps which private citizens would then seek to fill, particularly where critical health matters are involved.
Case 2: How Opening Up Data Saved the Lives of Minority Communities in Brazil
Fernanda Campagnucci, Executive Director at Open Knowledge Brazil, shared how their President is denying the gravity of the pandemic and spreading misinformation. OKFN Brazil has been pushing for the release of health micro-data through their index, to understand how minority communities are being affected by Covid-19.
Thanks to this work, there are now more than 80 states publishing data on minority groups impacted by Covid-19. The analysis of this data allowed them to see the inequality of access to health care that exists in the country, even though the federal government has been delaying or preventing the publication of new data.
Case 3: How Data Access Led to Acts of Aggression in Chile
Executive Director at Derechos Digitales, Maria Paz Canales’ case revealed just how delicate the balance between rights and access truly is. She reported that, since the beginning of this pandemic, the Chilean central government failed to provide accurate and relevant information about the geographic spread of Covid-19 in the different territorial divisions of the country. There were also very few details provided about the methodologies used to collect data.
Early in May, an independent digital media outlet got access to and published sensitive health data held by the Ministry of Health. The data included geo-referenced information about people who had tested positive for Covid-19, which was published in a series of maps. Although the complete addresses were not listed, the streets and the approximate location of the patients’ homes were indicated, which allowed their location to be fairly accurately inferred.
Whilst some of the population thought that the release of this data was a good thing so that they could avoid those infected and therefore protect themselves, the release of this information exposed individuals who had been infected by Covid-19 to discrimination, which included healthcare workers who experienced stigmatisation and acts of aggression.
She stated that while we need to release life-saving information, the way in which we do so has ethical and legal consequences. We need to release information in a way that doesn’t put private individuals at risk.
The Need for Transparency, Collaboration and Governance
Maria Paz urged that we must not demonise the release of aggregate data. Instead, we need to take a look at what we have and ensure our governments are making evidence-based decisions on how best to prioritise action that places the public interest front and centre of a crisis.
A commendable example of a balanced response is that of New Zealand’s data agency StatsNZ, whose strategy to wait for more cases before publishing their highly-detailed Covid-19 data mitigated re-identification risks.
Five key takeaways from this fruitful exchange could be summarised as:
- Transparency is needed, not only on the current number of cases in a locale, but also on other measures taken to combat the pandemic, such as emergency procurement procedures and what decisions are being made, and by whom.
- There needs to be more communication and compilation of best practices that will help governments globally to strike the right balance between transparency and privacy in an effective way, in the public interest.
- Civil society organisations should work with Information and Data Protection Commissioners in developing this knowledge base, and in identifying which datasets should be released and which safeguards should be put in place.
- Governance must be flexible and dynamic. Different situations and technologies mean different security risks and, as the world changes, risks may change with it too. There is a need for solid governance and a careful consideration for the design of data management and storage.
- There should also be risk impact assessments for all Covid-19 related data collection efforts. These assessments should be made public, overseen by independent experts, and ensure they further ethics, human rights, and fairness of data processing systems.
In order to combat Covid-19, governments must combine these best practices and commit to reforms. Where transparency and open communication are unavailable, this balance between data access and privacy rights will continue to be a roadblock. Nevertheless, as many countries have shown, with a solid data infrastructure and a collaborative governance framework in place, change is possible and more lives can be saved.
If you would like to share practical tips and lessons on how to lift information out of lockdown, get in touch with us at info@opendatacharter.org or rachel@access-info.org.
