The novel coronavirus outbreak has brought into sharp focus the promise and perils of data surveillance in the healthcare sector. As India faces an unprecedented public health crisis that has resulted in a countrywide lockdown, policymakers are trying to figure out exit strategies. Ultimately, lockdowns are brute force instruments and are unsustainable over long periods of time. To bring daily life back to normal at the earliest, some governments are deploying apps for self-diagnosis, contact tracing, quarantine and curfew passes as mitigation strategies. For example, the Indian government has launched the Aarogya Setu app for contact tracing, and as a medium for sharing authentic information with citizens.
At this moment, when all of India is faced with a 21-day lockdown (and perhaps a partial lockdown after 21 days), that is estimated to cost $120 billion, privacy seems to be the least of our worries. However, privacy is a fundamental right of every citizen and the state has the primary responsibility of upholding this right. For example, when the COVID quarantine lists that help identify affected individuals are released in the public domain, the privacy of those individuals is violated, leading to social ostracisation. Commentators as diverse as Yuval Noah Harari and Edward Snowden have warned that heightened surveillance during healthcare emergencies can make the surveillance state the “new normal” with frightening possibilities for individual liberty.
In the wake of corona, governments have released apps for self-diagnosis, contact tracing and curfew passes. These apps can help bring daily life back to normalcy soon. Self-diagnosis apps can help individuals do a quick check and see if the sore throat, fever or other symptoms they have are minor problems or symptoms of coronavirus. These apps can be the first line of defence, and can protect our underfunded medical system from being overloaded by panic-stricken individuals seeking to be tested for the virus.
Contact tracing can help with one of the most difficult challenges in dealing with a highly infectious and asymptomatic pathogen like the coronavirus. If a person is diagnosed with the virus, they may not be able to remember all those they came in contact with in the 14 days that it takes for the symptoms to manifest. Widespread use of contact tracing apps in the early days of the virus can minimise the need for prolonged lockdowns.
In times of lockdowns, people still need their daily essentials like grains, eggs, milk and other supplies. If those supply chains are hit by the shutdown, prices of essential commodities rise sharply, leading to panic buying. Many individuals may also have legitimate reasons for stepping out of their homes — visiting a family member in a hospital, for instance. Curfew pass apps can help the police quickly issue passes to doctors, caregivers, delivery services, couriers and others who keep the wheels of our economy running.
However, the data collected through these apps also provides huge surveillance capabilities to the state. Therefore, as Harari points out, “When choosing between alternatives, we should ask ourselves not only how to overcome the immediate threat, but also what kind of world we will inhabit once the storm passes?”
Where the collection of data through such apps is done by the state, the state must recognise that it is not the owner of the collected data, but merely the custodian of data. Secondly, as compared to the private sector, the state has a much higher responsibility for safeguarding data, because its control of the police, tax authorities and other instruments gives it great coercive power. The threats of state misuse of data are, therefore, much higher than its misuse by the private sector. The only way to mitigate this is by putting privacy and good data governance practices at the centre of such data collection, and by instituting checks and balances on state power.
Wherever data is collected by the state, it must be the minimum required to get the job done. For example, self-testing apps should not collect personally identifiable information, except essential information like age, and gender. This data should be deleted after the crisis is over.
Singapore seems to have set a good example with its Trace Together app — a voluntary app that uses bluetooth technology to detect proximity to other users having this same app. When the app is downloaded, a random number is assigned to the user, and the data is stored on the phone itself in an encrypted manner. Singapore’s Ministry of Health (MoH) is the only entity that can decrypt this data, and it can request the users to share it if the user is diagnosed with COVID-19. This enables MoH’s contact tracing team to quickly identify other individuals who are at risk. By requiring the data to be shared only when the individual has been identified as infected with COVID-19, Trace Together strikes a good balance between public health and protecting an individual’s privacy.
Ultimately data collection practices by the state boil down to the social contract for data between citizens and the state. A responsible state will collect the minimum amount of data required for a specific purpose and delete it after the purpose has been served. No state should take its citizens’ trust for granted. If citizens do not trust the state as the custodian of their data, there will be digital disobedience. Nuanced data collection and governance practices combined with independent audits of these practices will help the state win the trust and collaboration of its citizens. Without such sensitivity, a healthcare crisis could be compounded into a human rights disaster.
The writer is senior fellow at IDFC Institute and member of the Data Governance Network
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines