Recommendations below are drawn from Access Now, Freedom House, and Paris 21.
Open response measures place transparency, accountability, and participation at the center of immediate government efforts to curb contagion and provide emergency assistance.
Data Collection, Use, and Privacy
- Legality: Data collected should be grounded in existing law. Laws should cover a broad range of actions (processing, collecting, selling, sharing); actors (public and private); and explicitly state excluded categories of data.
- Transparent terms of service: The policies, intention and public-private contracts surrounding data collection, processing, and disposal as well as data subjects’ legal rights should be publically available.
- Scope of data collection and processing: Only collect and store data necessary to respond to the crisis and only share it through secure means with those who are integral to the response.
- Anonymized and secure data: Do not reveal patients’ personal information when reporting virus infections and statistics on person-level data such as age, gender, and race and ethnicity. Under no circumstance should health data be sold or transferred to third parties who are not working in the public interest.
- Public processing register: Create a publicly available register of algorithmic processing, covering private and state actors, that can be read in an open data format.
- Transparent algorithms: Ensure algorithms’ source code, mandate, testing means (e.g. audits, black box testing, white box testing), and training data are transparent and open.
Governance and Oversight
- Multi-stakeholder advisory council: Involve experts and civil society in developing and implementing safeguards on data use. Communities that are the most impacted, such as women and racial and ethnic minorities, should be consulted to create specific and effective safeguards.
- Parliamentary oversight: The legislature should use its authority and be adequately resourced to oversee and provide regular, public monitoring of data protection efforts related to COVID-19.
- Strategic partnerships: Collaborations should follow open data and procurement standards with reporting requirements for transparency. Data-sharing agreements between states and companies must be based on existing laws.
- Strong supervision and compliance capacity: Expand data protection officers’ mandate, especially around their knowledge and resources of systems that protect privacy and fairness.
- Impact assessments and evaluations: Require impact assessments for all COVID-19 related data collection efforts. Ensure assessments, as well as their mandate and enforcement mechanisms, related to the ethics, human rights, and fairness of data processing systems are public.
Open Recovery and Reform
Open recovery measures place transparency, accountability, and participation at the center of medium-term government efforts to rebuild in the wake of COVID-19. Similarly, open reform initiatives ensure that the public is at the heart of government in the post-pandemic world.
- Clear endpoint: Data collection efforts should have clear and predetermined sunset clauses. Data collected under exceptional circumstances should be deleted or anonymized after the crisis.
- Supervisory body: Identify a supervisory body with investigatory and enforcement powers regarding privacy abuses. This body should have clearly defined abilities to impose sanctions and remedies, and adequate resources to carry out its duties.
- Human rights institutions should exercise their authority, and partner with civil society, to monitor and investigate COVID-19 privacy protection efforts.
- Access to justice: Ensure data subjects’ access to justice is protected in law and that data subjects have access to legal remedies for breaches of privacy.
- Data quality and governance: Involve government statistical offices in the production, quality management, governance and coordination of data.
The following examples are recent initiatives in response to the COVID-19 pandemic and are drawn from our crowdsourced list as well as partner materials.
- Ghana: Ghana Statistical Services, Vodafone Ghana, and the Flowminder Foundation are using anonymised mobile phone data to determine whether citizens are complying with quarantine measures on an aggregate level.
- Mexico: The National Institute for Transparency created a microsite on privacy protection in the context of COVID-19 with information for both data subjects and processors.
- Norway: The Norwegian government and nonprofit research institute have released a contact tracing app that only tracks an individuals’ contacts after they’re diagnosed with COVID-19. Data is encrypted, stored on a secure server, and deleted after 30 days. Researchers only have access to anonymized and aggregate data.
- United States: Researchers shared the genetic information of early US COVID-19 cases on open science platforms Gisaid and Nextstrain, which helped to estimate how long the virus had been in the US.
The following examples are commitments previously made by OGP members that demonstrate elements of the recommendations made above.
- Australia (2016-2018): Updated government-wide guidance on de-identification processes and publishing sensitive data. Additionally, they amended the Privacy Act to comply with international best practices.
- Chile (2018-2020): Seeks to harmonize data protection with open data policy through a Draft Law on the Protection of Personal Data and the Open Data Policy of the Government of Chile.
- Mexico (2019-2021): Convened a multi-stakeholder forum to determine policies for government collection and use of private data.