COVID-19 and Data Protection in Nigeria
In the wake of the COVID 19 global pandemic, government and private entities’ response to the epidemic include the development and deployment of technological solutions – apps to stem the tide of the epidemic. These solutions according to the Economist focus on; documentation: using technology to say where people are, where they have been or what their disease status is; secondly, modelling: gathering data which help explain how the disease spreads and; thirdly, contact tracing: identifying people who have had contact with others known to be infected. It is in the interest of humanity to curb the spread and completely eradicate the virus.
These solutions rely on ‘sensitive personal data’ such as biometric data, genomic data, location data, and health data – using technical means. The solutions are used in locating, contacting, screening, flagging, managing social distancing, and monitoring people. Telecommunication companies are also reported to be involved in providing government with archived, “anonymised”, and retained location data of customers. Countries in some part of the globe are deploying facial recognition, anti-terror methods, symptom tracking, and other measures in the fight against the virus.
The use of these data is essential to the success against the epidemic. The pandemic is a public health crisis necessitating urgent measures to curb and eradicate it. Nonetheless, upholding data protection is equally crucial for the preservation of human rights before the pandemic, during the pandemic and after this is over and behind us.
Why so much fuss between data protection and COVID-19?
“Authoritarianism — for the “right” reasons — starts looking tolerable, even good, because it looks like the only option.” Jathan Sadowski
The conversation pits data protection against response to the epidemic, or insinuates that data protection is limiting the response to a public health crisis – basically pitching healthcare professionals against data protection and privacy professionals. The debate seems to be between those who believe data protection should be a trade-off for public health and those keen on the protection of human rights without compromise. The two extremes are fatal to the effort to combat the epidemic.
The misgivings stem from the apprehension of excessive and long term surveillance and its possible normalisation post COVID-19. The concern is, is this another version of the post 9/11 mass surveillance with national security as the basis for the mass data collection and interception? Cities in China now assign residents a color-coded classification for contagion risk to decide if they should be quarantined or if they can access public transport “or allowed into subways, malls and other public spaces.” “As is often the case with such scoring systems, there’s no full explanation of how its scoring decisions are made and no due process for challenging it. The opaque processes that depend on inherently biased data will lead to unjust discrimination and unaccountable outcomes.” In the Indian state of Karnataka, authorities are deploying technology, including smartphone apps with geotagging features to ensure strict observance of home quarantine. People are mandated to upload a “geotagged selfie every half-hour” to a mobile app.
There is also the fear of discrimination without an avenue for accountability. This is heightened with the risk of reusing medical research data connected to COVID-19 crisis, and the risk of data been stored beyond the pandemic. The fear is aggravated in countries with poor human rights records, where the government is happy to justify the extreme measure of surveillance under the garb of public interest or national security. There is fear the epidemic could be a basis for the government to retain data beyond this phase under the garb of designing a system and measures to protect citizens against the future epidemic.
Will data protection impact the fight against the epidemic?
The battle is not between data protection and public health. It is not a zero-sum game. Health data is crucial for scientific research aimed at developing treatment options and vaccines. Contact tracing is vital for curtailing the spread. The purport of data protection is to protect people (personal data) and prevent abuse. The extant laws allow the use of personal data for public health while adopting the principle of necessity and proportionality. The safeguard is to ensure such solution complies with the requirement of the law. It is critical to understand the principles of data protection and see if the solution being built aligns with it.
Operationalising the principles of data processing and COVID-19
Balancing epidemic response and respect for human rights are vital to the fight against the virus. The response to the epidemic, should not mean complete erosion of fundamental right protections under the law. Both private and public driven initiatives should conform to the principles of data protection. Responsiveness should be given to lawfulness, accuracy, and data minimization when using location data and tracing interactions between data subjects. The use of such data should be on the basis of necessity and proportionality – necessity implies the least intrusive option and that the processing must be a targeted and proportionate way of defeating the pandemic. The use of personal data should be subject to specific purpose and limited strictly to what is necessary to tackle the emergency.
Health records should be kept for a specific period or temporarily, mainly to wrestle the epidemic. The solution should have adequate security. Accountability entails that measures implemented to manage the emergency and decision-making process should be documented, and controllers should be transparent about these processes. Transparency means establishing a legal basis and allowing people to have full information about what is being done. If there would be repurposing – information should be accessible to data subjects and should be made available in plain language.
What does the law say?
The National Health Act 2014 (NHA) and the Nigeria Data Protection Regulation 2019 (NDPR) principally regulate data protection in the health care sector. The current public health crisis is no doubt one of public interest. Public interest is one of the legal basis for data processing recognised under the NDPR, there are four other legal basis recognised that could be used in appropriate circumstance. For organisations building a solution, it is crucial to establish the appropriate legal basis before processing personal data. The NDPR allows the further processing of data for scientific research for public interest. The NHA states that such data should be de-identified. It is worth mentioning the concern with data de-identification, pseudonymisation as against anonymized data. Similarly, the National Information Technology Development Agency recently declared that the collection of data can be done on the basis of public interest and vital interest, and such collection conforms to the Nigerian data protection framework.
Public interest can only be used as a legal basis if the task is carried out in the public interest or “in exercise of official public mandate vested in the controller.” Carrying out such specific task in public interest, or exercising such power as a public authority should flow from a law. The Establishing Act of the Nigeria Centre for Disease Control and Prevention (NCDC) states that the Agency shall have the power to:
- Protect Nigerians from the impact of communicable diseases of public health importance;
- Maintain the highest state if alertness to detect and respond to disease outbreaks, public health disasters, mass morbidity and mortality due to pathogenic, chemical and biological agents;
- Develop and coordinate capabilities, measures and activities to control outbreaks and mitigate the health impact of public health disasters; and
- Develop and coordinate an infection network for the reporting and notification of communicable diseases.
In addition, the Nigerian President relying on the Quarantine Act signed the COVID-19 Regulation 2020 enabling the government to impose lockdown in some parts of the country and some other emergency measures.
Will this impact on the right to privacy and other rights?
Framing the discourse around privacy or public good, rather than privacy and public good is unhelpful. The right to privacy is recognised and guaranteed under the Nigerian Constitution, – the right is not absolute and can be limited in the interest of public health. The epidemic response also impacts other rights. The imposition of lockdown to curtail the spread of the virus relaxes the right to movement and association, and is justified under public interest. Similarly, the right to personal liberty is impacted and will be waived in the event where “… persons suffering from infectious or contagious disease,…for the purpose of their care or treatment or the protection of the community.” However, the constitution is clear that such derogation or waiver of rights will only be possible where it is “reasonably justifiable in a democratic society.” As such, most data protection regulations recognize the need for balance between the rights of individuals, their personal data and the justifiable interference with these rights.
Navigating the tide
Summarily, the three (3) recommendations below are a starting point for any organization to navigate this tide:
- Identify the lawful basis for data processing and adopt data protection principles
The legal basis for processing should be established, and processing should be strictly based on what is necessary and proportionate to eradicate the pandemic. Processing should be time-bound, temporary and should not extend beyond the period of the pandemic. In the event, it will exceed the period, a lawful basis should be established to continue such processing, and the data subjects should be informed. Organisations should ensure they can demonstrate there is no other reasonable and less intrusive means to achieve the purpose. The confidentiality and integrity of the personal data should be protected at all times;
- Data Protection Impact Assessment (DPIA):
This is required to be conducted for new or existing processes or technology that would impact on personal data, or be required for the processing of personal data. Both public and private entities building products, processes and solutions should conduct a detailed data protection impact assessment before they build, to verify if it will not lead to occasional risk and danger to the rights and freedoms of individuals. The technical solution should work alongside manual contact tracing, and professional advice of epidemiologist; and
- Data Protection by Design and Default
Similar to baking in security rather than bolting it on, data protection by design and default entails embedding privacy and data protection requirements into the early phases of the solution build – the analysis and requirements definition phase. Organizations should embed data protection by design and default into the solution from scratch, as part of the product and software development life-cycle (SDLC). Privacy-enhancing and preserving technologies should be used to limit risk.
Data protection does not inhibit innovation, rather it enhances it by focusing on the rights of individuals and human life for a greater good.
Nurudeen Odeshina works on Privacy, Data Protection and Cybersecurity
Ridwan Oloyede is the Partner (Privacy & Data Protection) at Tech Hive Advisory, and a Research Fellow at the African Academic Network on Internet Policy