Can data collection be key to finding a solution to public health emergencies such as COVID-19, and can the creation of digital surveillance to control coronavirus pandemic carry a high risk of failure and side effects?
Due to monitoring, successful fight against the spread, early detection and suppression of COVID-19, the Government of the Republic of Macedonia enacted a Decree with force of law to supplement the Decree with force of law for the application of the Law on the protection of the population from infectious diseases during a state of emergency. According to all this, the Ministry of Health, as a measure, can apply Internet platforms, smart applications, electronic services, etc. to determine whether a person has been or is suspected of having direct contact with a person diseased or infected with coronavirus, as well as timely information of a certain person who has been in direct contact with a person deceased or infected with coronavirus and his timely medical treatment.
From the aspect of personal data protection, the Ministry of Health will now have a legal basis on which to conduct the processing of personal data, whereby the regulations in the field of personal data protection will be also applied.
It is important to note that the Law on personal data protection, as well as the General Data Protection Regulation (GDPR), are not an obstacle to the implementation of the measures to prevent the spread of coronavirus. Article 10 paragraph 1 line 5 and Article 13 paragraph 2 line 9 of the Law on Personal Data Protection should be taken into account, according to which the processing of personal data is legally permitted, if necessary for performing works of public interest or when performing public authorization of the controller determined by law and can be performed if necessary for the purposes of public interest in the field of public health, such as protection against serious cross-border threats to health, which provide appropriate and specific measures for the protection of the rights and freedoms of the data subject, in particular the protection of business secrets.
According to the Agency for Personal Data Protection, measures against coronavirus applied by state institutions, private companies and organizations may include processing of personal data such as name, address, workplace, travel data, including special categories of personal data such as health data. The exceptions for processing this data determined by law, do not refer to the public disclosure of personal data of infected persons or persons in self-isolation, hence any disclosure and sharing of personal data of deceased persons with coronavirus or persons who are in domestic isolation or in state’s quarantine, by unauthorized persons, is a violation of privacy and violation of the right to the protection of personal data and is subject to sanctions under the law.
In the direction of the abovementioned, the Government of the Republic of Macedonia adopted the information on StopKorona! – a mobile application for monitoring coronavirus exposure, and authorized the Minister of Health to sign the Donation Agreement between the Information Technology Company Nextsen LLC as a donor and the Ministry of Health of the Republic of Macedonia as a receiver.
StopKorona! is a mobile application for dealing with coronavirus, designed to detect close contact with potentially infected persons through a procedure for proximity detection through mobile devices/applications via Bluetooth technology.
According to the Privacy Policy (instructions on which data should be processed and for what purpose), which is available at stop.koronavirus.gov.mk, the only data kept by the Ministry of Health are:
• mobile phone number;
• unique arbitrary user identification code;
The application does not monitor or collect data on movement and location, and the data will only be used to find people who could be potentially infected with COVID-19. At your own discretion, the functionality of the application can be disabled at any time by disabling the Bluetooth permission through the application or by deleting the application.
Applying COVID-19 measures with the use of personal data is unlikely to face legal obstacles. The real obstacles could be the loss of public confidence due to misuse of personal data, if personal data is used for other unrelated purposes or if the explanation for the use of the data is not written and published in a clear, understandable and easily accessible way. Such a project can only work if a large number of citizens participate.
The question is not only whether it is possible to use personal data, but also how to do it properly. Therefore, it is important that the data processing, including health data, is justified and limited to what is necessary to achieve the goal.