In response to COVID-19, digital rights should be respected
– When publishing whereabouts of infected individuals, exposure of personal information should be restricted
– Personal information collected for the purpose of public health emergency should be discarded after emergency
– Legislation to process and protect personal information during public health emergency should be supplemented
One of principles for Korean government to respond to COVID-19 is transparency. It seems to be because it was criticized for failing to respond to infectious disease by not properly disclosing the transmission route during the last MERS outbreak. So, Korean government disclosed not only whereabout of infected person but also information on spreading pattern of the disease and response to it from the beginning of the disease. However, in the process of disclosing such information, violation of digital rights may occur. Although right to privacy including right to self-determination of personal data could be somewhat restricted for responding to public health emergency, we need to be careful not to infringe upon the essence of rights due to excessive restriction beyond necessity. Also, measures taken during emergency should not be converted into a surveillance system at future normal time.
Balancing between protection of personal data and disclosing movements
As each local government has already disclosed whereabouts of infected person, individual whose identity has been exposed are being harmed. Without reasonable grounds or standards, movements and other personal data of infected person have been exposed in great detail, which caused groundless accusations, speculations and hate speech against individual concerned. People even say that they are more scared of revealing their whereabouts than getting infected with the virus. In the statement issued on March 9, the National Human Rights Commission of Korea (NHRCK) also said that “it is hard to deny the need to disclose a certain amount of information including location and time of visit by infected person to prevent the spread of infectious disease, but there are occurring many human rights violation cases by disclosing more personal data than necessary, so we should refrain from doing so.”
Accordingly, the Korea Centers for Disease Control & Prevention (KCDC) released the guideline on information disclosure on March 14. According to the guidelines, the location and means of travel should be disclosed only when there is contact, and personal data of infected person, such as the residence address or company name, shouldn’t be allowed to be disclosed. It is commendable that KCDC set the standards to protect personal data when disclosing movements of infected individuals to reflect critical public opinion. However, the guidelines still assumed the disclosure of whereabouts by infected persons, possibly revealing the identity of them or raising slander against them.
The reason for disclosing whereabouts of infected individual seems to be to help contacts who overlapped the path but unidentified by contact tracer recognize the possibility of contact with infected person and take proper measure. Under this context, KCDC mentioned in the guideline that, if all contacts of specific infected person can be figured out, there is no need to disclose movements. However, some local governments have interpreted it arbitrarily and still reveal excessive movements. KCDC also assumed the disclosure of whereabouts by infected individuals, so there is still risk of exposing personal identities.
If disclosed data would be just lists of specific time and place which a infected individual had been, not whereabouts by specific infected person, it can still provide necessary information to the public without revealing specific identity of specific infected person. Of course, the possibility of identifying specific person can be increasing if data is disclosed by each local government because the number of infected person is not big enough in the region. So, it is preferable that KCDC rather than local government collect and disclose the data in order to decrease the possibility of identification.
Explain clearly the purpose of disclosing movements
In addition, despite the fact that the disinfection has already been carried out already for the place where an infected person visited, those places are still being misunderstood as infected area, which is causing damage to relevant restaurants and shops. It is because the government do not clearly explain the purpose of disclosure of whereabouts. Disclosure of places where an infected person visited is not to prevent others from visiting the place, but merely to provide information to someone who might contact the infected person without knowledge of infection. This misconception of a particular place can lead to a sense discrimination that considers an infected person as a contaminated person. Only when the government properly informs the public of the purpose and implication of disclosing movements can reduce unfair damages such as avoiding and discriminating specific business place and infected person.
Minimize the disclosure of personal information
Along with whereabouts, personal data of infected person, such as gender, last name, occupation, nationality and religion, is disclosed, which could violate the privacy of the person concerned. Although It’s necessary to disclose some information on the status of infectious disease to elicit cooperation in responding to it and to assess whether measures were appropriate, we need to be careful not to violate human rights in the process. For example, information about whether infected person entered Korea after visiting specific country would be more important rather than infected person’s nationality. Likewise, the fact that infected persons had a meal together would be more important rather than the relationship between infected persons, such as spouse, daughter, son-in-law, and sister-in-law. In other words, events which affected the infection could be more important than relationship with infected person, and in that case, there is no need to disclose the personal data of infected person. The government and the media need to focus on the factors themselves that affect infection rather than the relationship or identity of infected person, and should try to minimize the disclosure of personal information.
The contact tracing system should not become a routine surveillance system
There are huge collection of personal information for contact tracing. The Infectious Disease Control and Prevention Act (IDCPA) allows collecting huge amount data such as card record, transportation card record, CCTV video record, and location information. Tens of thousands of location information collected from specific base station is provided as if by investigative agencies. Recently, the government has developed a new system which links system of different organizations, including police, telecoms, and credit card companies, to figure out movements, reducing time for contact tracing from several hours to 10 minutes. On a normal basis, it must be an enormous surveillance system.
Of course, it may be necessary to identify the correct contact tracing through objective information. Building a more efficient system will also increase the efficiency of responding to infectious disease. However, it should be accompanied by appropriate safeguards. Even if introduced for legitimate purpose, it could be abused anytime if there is not proper oversight. As the personal information of an infected person has already been leaked from a public institution, we cannot help but worry about whether government system for processing personal data of infected person is being properly managed. The system should be managed to be only used for lawful purpose by taking proper administrative and technical protection measures, such as access log to monitor misuse of the system.
Another problem is that local governments and other agencies can collect location information without specific requirements as long as they think they need it. But, strict requirements need to be provided in the act, regarding under what conditions location information can be provided, real-time location tracking can be carried out, and measure similar to base station investigation can be taken etc. In addition, these information should not be collected by the police, but who directly carries out public health affairs, and the responsibility for processing the data should also be taken by public health institutions. The newly developed contact tracing system, so-called ‘the COVID 19 data platform’, which links systems of police, telecoms and credit card companies should be discarded with the data stored in the system after the emergency is over.
On March 16, U.N. human rights experts including Special Rapporteur on Freedom of Expression and Special Rapporteur on Privacy, also pointed out that “restrictions should be narrowly tailored and should be the least intrusive means to protect public health” and “authorities must seek to return life to normal and must avoid excessive use of emergency powers to indefinitely regulate day-to-day life”.
Need to improve legislation on processing and protecting personal information in times of public health crisis
Recently, data protection authorities around the world have laid out principles for handling personal information in times public health crisis such as COVID-19. Personal Data Protection Act do not prohibit processing personal information when needed to response to public health crisis. In this regard, however, there should be a clear legal basis, and the restriction of the rights of the data subject should be limited to the minimum required and proportional. Furthermore, appropriate safety measures should be taken to process such personal information, including limiting access and processing authority to the minimum required, and personal information collected for such public health purpose should be discarded immediately after the objective has been achieved. In addition, the rights of the data subjects should be guaranteed as much as possible by providing procedures such as notifying the data subjects of matters related to the data processing or receiving consent from them.
In this regard, Personal Information Protection Act (PIPA) in S.Korea still has a lot of loopholes in terms of personal data protection in times of public health emergency. Although IDCPA stipulates the collection of personal data for contact tracing and disclosure of contact tracing, it is not clear how the PIPA relates to the situation the IDCPA is applied. The PIPA also allows processing personal information “temporarily where it is urgently necessary for the public safety and security, public health” in Article 58 clause 1 paragraph 3 while excluding the application of the PIPA from Chapter 3 to 7. Although it could be allowed that personal data is processed for urgent public health purposes, it is necessary to stipulate more concrete provisions in relevant laws, such as PIPA and IDCPA, on how the right of the data subject is protected and under what conditions it is restricted.
Infectious diseases such as COVID-19 can recur from time to time, and the experience of overcoming COVID-19 can be valuable asset in the future. To do so, beyond just controlling the infectious disease right now, the process of accurately diagnosing the structural vulnerability of our society and overhauling the system to prevent the recurrence of the same problem in the future should be accompanied. We should create a system that can protect digital rights in a balanced way while responding to urgent public health needs.
March 26, 2020.
signed by 22 human rights organization
경제정의실천시민연합, 광주인권지기활짝, 다산인권센터, 무상의료운동본부, 민주사회를 위한 변호사모임 디지털정보위원회, 빈곤과 차별에 저항하는 인권운동연대, 사단법인 정보인권연구소, 서울YMCA 시청자시민운동본부, 언론개혁시민연대, 연구공동체 건강과대안, 인권운동공간 활, 인권운동네트워크 바람, 인권운동사랑방, 인권중심사람, 전국민주노동조합총연맹, 전국사무금융노동조합연맹, 전국장애인차별철폐연대, 전북평화와인권연대, 진보네트워크센터, 참여연대, 한국게이인권운동단체 친구사이, 한국노동안전보건연구소