Murray Hunter | Don’t impose new health policy until we understand impact of Covid data collection
With the state of disaster over, Murray Hunter questions what will happen to the ambitious, if chaotic, data collection regime that South Africa’s health authorities pursued to combat the pandemic.
President Cyril Ramaphosa’s decision to end the two-year state of disaster declared over the Covid-19 pandemic has brought South Africa to a fork in the road on our journey through the pandemic – and demands some reflection on how we’ll handle the next pandemic as well.
To recap, nearly all the emergency measures adopted since March 2020 have fallen away with immediate effect. We are still required to wear face masks in certain public spaces; there are still crowd limits for major gatherings, and certain protocols apply for international travel. Importantly, the R350 Covid relief grant will still be issued. COGTA has invited public comment on draft regulations that would govern these matters going forward, here.
One significant aspect which demands further attention is what will happen to the ambitious if chaotic, data collection regime that South Africa’s health authorities pursued to combat the pandemic.
Covid-19 and data tracking
You’ll remember that the onset of the pandemic brought a rash of global debates about data protection and public health technology, as governments and industry players across the world experimented with all manner of digital technologies and data tracking to try slow the spread of the virus.
South Africa, somewhat infamously, initially experimented with collecting mobile location data in the hopes of using it for contact tracing – although this approach was shelved almost immediately when it became clear that the data was both sensitive enough to raise substantial privacy concerns yet not accurate enough actually to help in contact tracing.
The Department of Health then shifted to less controversial technological solutions, which provided alternative approaches to contact tracing. This includes the Covid Alert app, which uses Bluetooth proximity monitoring to do anonymised exposure notifications. In doing so, the app sidestepped the major privacy debates of the time, although there have also been significant questions about that app’s effectiveness and little data from the Department of Health to prove the case. CovidConnect, the Department of Health’s messaging suite which combines bulk SMS and WhatsApp exchanges, has used a range of service providers to send out public health messaging, allowed people to interact with WhatsApp bots to get general information about Covid, enabled access to personal test results, and even nominated people for contact tracing.
Throughout the Covid period, our disaster regulations included provision for health authorities to collect a fair amount of personal data for contact tracing and broader efforts to understand the spread of the virus. The ‘Covid-19 Database’, as described in the regulations, was permitted to include the names, identity numbers, addresses and contact details of anyone who took a Covid test, as well as the details of anyone suspected of having been exposed to someone with a Covid infection – and, at least in theory, it could also include a person’s cellular location data if that information was deemed necessary for public health purposes.
So now that the state of disaster is over, what happens to all the data collection?
While that phone-tracking approach never really got off the ground, the regulations that enabled them remained largely in place during the state of disaster. And while the policy was controversial, it did include several notable safeguards to try mitigate concerns about privacy and data protection – such as the appointment of a judge to oversee the use of the policy and legal provisions that clearly restricted any data collection to legitimate public-health purposes.
Perhaps most relevant for this moment, the policy included a sunset clause. Specifically, the Covid-19 data collection processes would end with the declared state of disaster itself, at which time any personal data collected in terms of this policy should either be destroyed or strictly anonymised if needed for further public-health research. The oversight judge has the power to set out standards for how this data can be acceptably de-identified, and the director-general of health and the oversight judge is supposed to table reports to Parliament on steps taken to shutter the data collection system. This sunset clause is now triggered.
A time for public scrutiny
This is a vital moment – one perhaps long overdue – for oversight and public debate of our Covid data collection practices: what worked, what didn’t work, and how data protection in public health should be approached going forward.
One of the enduring observations from that time is that officials really wanted to find public health interventions that protected data privacy – yet attempts to understand how these policies have been implemented and reviewed have often suggested that many stakeholders were simply not fully on top of the problem.
It’s understandable that at the height of an unprecedented public health crisis, where health officials were stretched to the absolute max, this aspect of our policy response did not get full attention.
Yet, to date, there have been hardly any Parliamentary hearings where Covid data collection has been seriously discussed; there appears to be no public information on the effectiveness and uptake of interventions such as CovidConnect or the Covid Alert app. We don’t know, for example, whether oversight measures relating to ICT service providers for the Covid Connect messaging services have been implemented. (The regulations require, for example, that each service provider is meant to have kept detailed logs of which employees have accessed any personal data collected for the Department of Health, and have all employees sign a declaration that they understand the Covid data collection regulations and its safeguards.)
After more than two years of the pandemic, where a three-month emergency provision stretched out for over 24 months, it’s now time for us to get to the bottom of things.
This should happen first through documents and reporting and then through Parliamentary oversight hearings. This will give us – the public – a better sense of the broader human rights impact of the policies, and the benefits to public health, and therefore whether a policy like this should be adopted in the future.
New regulations on data collection
As the President said, going forward the pandemic will be managed in terms of the National Health Act. A few weeks ago, the Department of Health released draft regulations that will seemingly absorb aspects of the Covid public health policies into existing regulations governing surveillance of other serious diseases and public health risks. (These diseases are known as ‘notifiable medical conditions,’ which require that certain information about confirmed cases must be shared with relevant authorities as a matter of public health.)
On principle, this may make sense. But alarmingly, the draft regulations would extend aspects of Covid-19 data collection to these broader health policies and the dozens of other illnesses which they govern – without further engagement with how Covid data collection policies have played out. In essence, before we’ve had any chance for reflection, assessment, and public engagement into the successes or failures of our attempt to balance privacy and public health, these draft regulations would adopt them in perpetuity.
Specifically, section 15H of the draft regulations creates a ‘notifiable conditions contact tracing database’, for which the Department of Health must collect a wide range of personal information of any person who contracts (or even tests for) one of about 50 illnesses listed as notifiable medical conditions in the regulation; the database should also include the details of anyone known or suspected to have been exposed to them, for contact-tracing purposes.
Once more, there is nothing to suggest that this is malicious. Rather, it appears almost absent-minded. For example, some of the diseases for which this data collection would now apply can’t even be passed from one person to another. (What’s the point of doing contact tracing for malaria?)
There also seems to be little consideration of the data protection implications, if any, of applying Covid-style data collection to this host of other illnesses, serious as they may be. As an example, the list of applicable diseases includes gonorrhoea, a sexually transmitted infection: the proposal to do Covid-style contact-tracing carries vast implications for a patient’s privacy and dignity.
These draft proposals, which are open for public comment until Thursday, 14 April 2022, appear to be a case of policy by sleepwalking. Unfortunately, when it comes to data protection – in the era of Covid and long before – we’ve done far too much of that already.
The end of the state of disaster – and this current juncture in our pandemic response – is a time for reflection, assessment and accountability for the policy choices that were made in our responses to this awful pandemic. Many, no doubt, will prove to have been the best choices available on the information we had. Others may stand out as mistakes never to be forgotten or repeated.
Either way, these questions must be aired – through Parliament, our Information Regulator, and beyond. It would be wise to pause any proposed regulations to expand or extend these practices until we fully understand the successes and failures of our data collection approaches in the pandemic.
– Murray Hunter is a senior associate with ALT Advisory.