The Data Commissioner in Pandemic Times
Apart from debate on Covid-19, conversations on privacy and data protection have gained momentum over the last few months. Questions have arisen on whether strategies to manage the Covid-19 have clawed back on gains made in protection of fundamental rights and freedoms especially the right to privacy. Also, whether such strategies have been well thought out and whether they are proportion in view of their purpose. There is genuine concern that the surveillance mechanisms that have been adopted by states to deal with the pandemic have gone or will go beyond their legal purpose.
Surveillance mechanisms have gradually moved from physical surveillance by health care professionals to surveillance by security agents and digital surveillance using mobile phone data. Covid-19 tracing mobile applications are also gaining notoriety, though these have not found ground in Kenya. Recently, Apple and Google unveiled a Covid-19 exposure notification system. Massive amounts of personal data are being processed in relation to Covid-19.
Guided by the Data Protection Act, 2019, there are two types of data in question in relation to the pandemic. Section 2 provides for data in general, personal data and health data, the section states –
“data” means information which is processed by means of equipment operating automatically in response to instructions given for that purpose; is recorded with intention that it should be processed by means of such equipment; is recorded as part of a relevant filing system; forms part of an accessible record; or is recorded information which is held by a public entity.
“personal data” means any information relating to an identified or identifiable natural person.
On the other hand, “health data” means data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.
On regulation of health data, Section 46 provides that personal data relating to the health of a data subject may only be processed by or under the responsibility of a health care provider or by a person subject to the obligation of professional secrecy under any law. The condition is met if the processing is necessary for reasons of public interest in the area of public health or is carried out by another person who in the circumstances owes a duty of confidentiality under any law.
In view of the above, what then is the role of the Data Commissioner in relation to the two types of data? From the outset, it is instructive to note that health data is accorded a higher protection standard. Section 51 provides for general exemptions where it states that the processing of personal data is exempt from the provisions of the Act if it is necessary for national security or public interest or where disclosure is required by or under any written law or by an order of the court. Managing the pandemic is definitely a national security and public interest issue. Also, public health legislation requires certain disclosures by individuals in the event of a public health crisis.
Section 8 of the Data Protection Act outlines the functions of the Data Commissioner, these provide guidance on what the role of the Commissioner is in these Covid-19 times. The Data Commissioner would undertake the following –
One, public education on the rights of data subjects in relation to the protection of their data when in a Covid–19 situation. The Commissioner would publicly inform the public (data subjects) that there is data generally and health data that will be processed during this period and the effect the processing of each would have and that the Data Protection Act provides for exemptions in processing of data for public interest purposes.
The Commissioner would also educate the public on their rights, for example, to be informed of the use to which their personal data is to be put; right to access their personal data in custody of data controller or data processor; right to object to the processing of all or part of their personal data; right to correction of false or misleading data; and right to deletion of false or misleading data about them.
Two, the Data Commissioner would provide guidelines on legal safeguards that ought to be put in place in the processing of data. Such would guide data controllers and data processors in both the public and private sectors. Notwithstanding that data may be processed for a public purpose, basic guidelines on data protection still apply. For example, processing of data must be for a lawful purpose, only authorized persons may process data, data security must be ensured and transfer of data ought to be undertaken within the legal purpose for processing of the data.
Three, the Data Commissioner would require data protection impact assessments from data controllers and data processors. Data protection impact assessments are mandatory where processing is likely to result in high risk to the rights and freedoms of a data subject. Data processing and surveillance being undertaken during the pandemic are a risk to the rights of data subjects. Hence, data controllers and processors should provide the Commissioner with data protection impact assessments that contain information set out under Section 31 of the Data Protection Act. These assessments are key especially where technology such as contact tracing mobile applications are to be deployed.
Four, the Data Commissioner on their own motion or upon the request of data subjects carry out audits and assessments to verify whether data controllers and data processors are processing data in compliance with the Act. Such audits would include recommendations that must be implemented to ensure data processing is statute compliant. The Commissioner has powers to impose administrative fines for failures to comply with the Act
Five, it is the statutory duty of the Data Commissioner to receive and investigate complaints on infringement of the Act. The Commissioner has the power to facilitate conciliation, mediation and negotiation on disputes arising from the Act.
Six, the Data Commissioner would ensure cooperation with data protection regulators within and outside the region.
From the foregoing, the Data Commissioner has wide statutory powers to ensure data protection within the Data Protection Act framework. Where the framework under the Act is complied with, it may allay fears that data processing in managing the Covid-19 pandemic would go beyond statute sanctioned purposes.