Date: 3 April 2020
Response to media enquiry on privacy issues arising from COVID-19
Thank you very much for your enquiry about the privacy issues arising from COVID-19. The response from the office of the Privacy Commissioner for Personal Data (PCPD) from personal data privacy perspective is as follows:
Starting basis: balance between privacy rights of COVID-19 patients and public health
-
Personal data privacy right is not an absolute right. What it practically means is that it may be subject to other competing rights or interests, such as the absolute right to life and the interests of the public, including public health.
-
“Right to life” of individuals under (i) Article 2 of Part II of the Hong Kong Bill of Rights Ordinance and (ii) Article 6 of the International Covenant on Civil and Political Rights (ICCPR) means that every human being has the inherent right to life. The Human Rights Committee (HRC) of United Nations also stated in November 2018 that “The right to life is the prerequisite for the enjoyment of all other human rights” and defined the “right to life” as “the supreme right”. It went further to say that “[t]he duty to protect life also implies that States parties should take appropriate measures to address the general conditions in society that may give rise to direct threats to life… These general conditions may include… the prevalence of life threatening diseases, such as AIDS, tuberculosis or malaria… The measures called for addressing adequate conditions for protecting the right to life include… measures designed to ensure access without delay by individuals to essential goods and services such as… health-care… and other measures designed to promote and facilitate adequate general conditions such as the bolstering of effective emergency health services… States parties should also develop strategic plans for advancing the enjoyment of the right to life, which may comprise measures to fight the stigmatization associated with disabilities and diseases,… which hamper access to medical care”. This right is absolute and precedes other countervailing interests, including privacy right. The right to life refers not only to the right of life of the data subject, such as the potential carrier of COVID-19, but also that of others in society.
-
In addition, COVID-19 had been added as one of the notifiable infectious diseases under the Prevention and Control of Disease Ordinance (Cap 599). All registered medical practitioners are required to notify the Centre for Health Protection of the Department of Health of all suspected or confirmed cases of COVID-19. The Centre for Health Protection is also tasked to conduct surveillance and control of COVID-19. If persons are suspected of having close contacts with infected persons, it would be in the public interest to closely monitor their whereabouts, including the venues and the persons that they have visited and contacted, with the aim to control further spread of COVID-19 in the community. The intention of this legislation is also clear, namely to control and prevent the spread of any infectious diseases in Hong Kong. Other subsidiary legislations made under Cap 599 have also provided the legal bases for matters such as compulsory quarantine, requirement for persons to give information to designated health officers to combat COVID-19.
-
In this connection, it is observed that confinees may be ordered under the prevailing subsidiary legislations under Cap 599 or requested administratively to effect the justifiable installation of app in their mobile phones for collecting and analysing the data in the environs including the Wi-Fi and Bluetooth signals proportionately having regard to the following factors:
o there is a pressing need for such measures (e.g. pandemic and short of compulsory quarantine vacancies);
o these measures would serve the legitimate purposes of controlling and preventing the spread of coronavirus and saving lives of the public;
o there is a rational connection between these measures and the legitimate purposes;
o these measures are no more than is necessary to achieve the legitimate purposes;
o only necessary and no excessive data is to be collected;
o data collected will not be used for other purposes without consent subject to applicable exemptions; and
o the benefits (to both the confines and members of the public) of achieving the legitimate purposes are not disproportionate to the encroachment and inroads made into the fundamental right of personal data privacy, in that these measures do not, in all the circumstances of the case, impose an unacceptable harsh burden on the confinees involved.
-
There are therefore strong, justifiable and legal bases for the Government to conduct necessary surveillance of suspected and confirmed patients of COVID-19 for the individuals concerned and the wider community.
Protection of personal data privacy vis-à-vis COVID-19 pandemic
-
The outbreak of COVID-19 was declared a Public Health Emergency of International Concern by the World Health Organisation on 30 January 2020, and characterised as a pandemic on 11 March 2020. There is now a pressing need for the local and international communities to contain the spread of the virus. The compelling interests of public health and safety should be the primary concern for all, including data users.
-
While data protection law can be applied flexibly to protect human lives and data, the PCPD has been advocating that authorities as data users or controllers should first seek to process the personal data in an anonymised or de-identified way. Least privacy intrusive measures should be preferred.
-
If it is unavoidable to process data capable of identifying a person, the Data Specification Principle when collecting personal data; and the Use Limitation Principle when using the personal data must be complied with. The anti-virus measures that may encroach the privacy right of the individuals concerned, albeit a qualified right, shall be no more than necessary and proportionate to achieving the pressing and legitimate purpose of combating the pandemic in the interest of both the individuals concerned and the public. There shall also be adequate safeguards in relation to data security and data retention in place. All practicable steps must be taken to protect the data, especially health data, from unauthorised or accidental access, processing, erasure, loss or use. The Government shall also ensure that the monitoring measures are time-bound and only continue for as long as necessary to address the COVID-19 pandemic. The data must not be kept longer than is necessary for the fulfillment of the purpose for which the data is used.
-
The approach of not letting data protection law hinder the combat against COVID-19 under the current emergent circumstances has been adopted in other jurisdictions as well. For instance, the Information Commissioner’s Office (ICO), the UK, issued a statement on 28 March 2020 stating that “generalised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified.”
-
In these unprecedented difficult times for the local and worldwide communities, the health and safety of the public remains the main concern of all people, including the data protection authorities. The PCPD is a fair and reasonable regulator having due regard to issues of serious public concern and interests. While it is critical to contain the spread of virus, the PCPD stressed that COVID-19 pandemic shall not be used as an excuse for indiscriminate and indefinite mass surveillance.
Legal and ethical requirements
-
The PCPD is aware of the use of communication software, video calls, electronic wristbands and the new "StayHomeSafe" mobile app by the Government to ensure that persons undergoing quarantine are staying at the specified places.
-
There is indeed no requirement under the Personal Data (Privacy) Ordinance (PDPO) for data users to obtain prior consent from the data subjects before collection of their personal data, save for direct marketing activities and for using personal data collected for a new purpose other than that at the time of collection.
-
Generally speaking, according to Data Protection Principle 1 of the PDPO, the means of collecting personal data should be lawful and fair in the circumstances of the case. In these difficult times of the pandemic, backed up by the legal basis explained above, there are justifiable and legal bases for the Government to collect additional data with the aid of devices, applications, software or supercomputers to protect the public from serious threats to public health.
-
That said, governments should not derogate their responsibilities in handling personal data. Only minimum, necessary, non-excessive personal data should be collected, and the purpose of their collection should be directly related to their functions or activities (e.g. ascertaining the health condition of the data subjects).
-
The PCPD has been advocating data ethics stewardship based on respect, benefit and fairness. It is pivotal that the Government be transparent and forthcoming in terms of explanation in the collection of personal data of suspected or confirmed COVID-19 patients so that they will be fully informed. Transparency and explainability are the key elements in building people’s trust and confidence in these surveillance measures.
Other information requested
-
As of 30 March 2020, the PCPD received 2 complaints, one each about doxxing of people tested positive for COVID-19 and about people under home quarantine.