Skip Navigation

A Guide to Open Government and the Coronavirus: Privacy Protections

Guía de gobierno abierto y coronavirus: Protección a la privacidad

Guide pour un gouvernement ouvert et le Coronavirus: Protection de la vie privée

Open Response Teal

Recommendations | Examples | Resources | Partners | Back to Main

Governments are collecting unprecedented amounts of personal data to support vital public health efforts, such as tracking COVID-19 transmission and enforcing quarantine. In particular, governments and corporations are collecting and processing citizens’ health and geolocation data on a massive scale.

Given this context, it is more important than ever that governments place transparency and accountability at the center of privacy protection efforts to ensure that citizens’ right to privacy is not eroded under these exceptional measures.

Recommendations

Recommendations below are drawn from Access Now, Freedom House, and Paris 21.

Open Response:

Open response measures place transparency, accountability, and participation at the center of immediate government efforts to curb contagion and provide emergency assistance.

Data Collection, Use, and Privacy

  • Legality: Data collected should be grounded in existing law. Laws should cover a broad range of actions (processing, collecting, selling, sharing); actors (public and private); and explicitly state excluded categories of data.
  • Transparent terms of service: The policies, intention and public-private contracts surrounding data collection, processing, and disposal as well as data subjects’ legal rights should be publically available.
  • Scope of data collection and processing: Only collect and store data necessary to respond to the crisis and only share it through secure means with those who are integral to the response.
  • Anonymized and secure data: Do not reveal patients’ personal information when reporting virus infections and statistics on person-level data such as age, gender, and race and ethnicity. Under no circumstance should health data be sold or transferred to third parties who are not working in the public interest.
  • Public processing register: Create a publicly available register of algorithmic processing, covering private and state actors, that can be read in an open data format.
  • Transparent algorithms: Ensure algorithms’ source code, mandate, testing means (e.g. audits, black box testing, white box testing), and training data are transparent and open.

Governance and Oversight

  • Multi-stakeholder advisory council: Involve experts and civil society in developing and implementing safeguards on data use. Communities that are the most impacted, such as women and racial and ethnic minorities, should be consulted to create specific and effective safeguards.
  • Parliamentary oversight: The legislature should use its authority and be adequately resourced to oversee and provide regular, public monitoring of data protection efforts related to COVID-19.
  • Strategic partnerships: Collaborations should follow open data and procurement standards with reporting requirements for transparency. Data-sharing agreements between states and companies must be based on existing laws.
  • Strong supervision and compliance capacity: Expand data protection officers’ mandate, especially around their knowledge and resources of systems that protect privacy and fairness.
  • Impact assessments and evaluations: Require impact assessments for all COVID-19 related data collection efforts. Ensure assessments, as well as their mandate and enforcement mechanisms, related to the ethics, human rights, and fairness of data processing systems are public.

Open Recovery and Reform

Open recovery measures place transparency, accountability, and participation at the center of medium-term government efforts to rebuild in the wake of COVID-19. Similarly, open reform initiatives ensure that the public is at the heart of government in the post-pandemic world.

  • Clear endpoint: Data collection efforts should have clear and predetermined sunset clauses. Data collected under exceptional circumstances should be deleted or anonymized after the crisis.
  • Supervisory body: Identify a supervisory body with investigatory and enforcement powers regarding privacy abuses. This body should have clearly defined abilities to impose sanctions and remedies, and adequate resources to carry out its duties.
    • Human rights institutions should exercise their authority, and partner with civil society, to monitor and investigate COVID-19 privacy protection efforts.
  • Access to justice: Ensure data subjects’ access to justice is protected in law and that data subjects have access to legal remedies for breaches of privacy.
  • Data quality and governance: Involve government statistical offices in the production, quality management, governance and coordination of data.

Examples

The following examples are recent initiatives in response to the COVID-19 pandemic and are drawn from our crowdsourced list as well as partner materials.

  • Ghana: Ghana Statistical Services, Vodafone Ghana, and the Flowminder Foundation are using anonymised mobile phone data to determine whether citizens are complying with quarantine measures on an aggregate level.
  • Mexico: The National Institute for Transparency created a microsite on privacy protection in the context of COVID-19 with information for both data subjects and processors. 
  • Norway: The Norwegian government and nonprofit research institute have released a contact tracing app that only tracks an individuals’ contacts after they’re diagnosed with COVID-19. Data is encrypted, stored on a secure server, and deleted after 30 days. Researchers only have access to anonymized and aggregate data.
  • United States: Researchers shared the genetic information of early US COVID-19 cases on open science platforms Gisaid and Nextstrain, which helped to estimate how long the virus had been in the US.

The following examples are commitments previously made by OGP members that demonstrate elements of the recommendations made above.

  • Australia (2016-2018): Updated government-wide guidance on de-identification processes and publishing sensitive data. Additionally, they amended the Privacy Act to comply with international best practices.
  • Chile (2018-2020): Seeks to harmonize data protection with open data policy through a Draft Law on the Protection of Personal Data and the Open Data Policy of the Government of Chile.
  • Mexico (2019-2021): Convened a multi-stakeholder forum to determine policies for government collection and use of private data.

Resources

  • Privacy International maintains a database of government responses related to privacy and surveillance.
  • Access Now has written a report on recommendations for privacy and data protection in the pandemic as well as recommendations specific to contact tracing apps.
  • Specific to the EU, GDPRhub offers advice on how to comply with data protection under the GDPR in the context of a COVID-19 response.
  • The Center for Global Development also has a useful article with further recommendations and resources.

Partners who can
provide further support and information

Thank you to our partners at the Web Foundation, Access Now, and CIVICUS for sharing recommendations and reviewing this module.

Downloads

No comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!