This post is part of a series on contact tracing apps. You can read our introduction to the series and find links to the other entries here.
As McKinsey noted in a recent report, the use of technology across the more developed economies in Asia has been a major contributor to enabling these countries to contain the pandemic at a faster rate and more completely than has been achieved elsewhere and to curtail the disruption it has caused.
The first of the six technology-enabled interventions that McKinsey identified is a 'watertight track–trace-test quarantine cycle' involving collaborations between public and private players. The authors reference South Korea’s Corona Map and Corona 100m contact-tracing apps as a notable example of this type of public health response.
In this last post in the series, we look at how Asian governments are choosing to make the use of contact tracing apps obligatory and how at the same time they are expanding the reach of these mobile apps, as well as the steps being taken to manage the privacy impact of the accumulation of sensitive location and health data.
As noted in our second blog post in this series, requirements vary between cities as to whether organisations are required to make use of PHI code ‘traffic light’ systems.
There is still no nationwide requirement to implement these systems. However, even in regions that have not officially adopted the PHI code system, many facilities will not allow entry unless entrants show their PHI code, making it difficult for the average person to get around without one.
Apart from Shanghai and Beijing, other local governments have also announced requirements to implement the code system.
For example, the government of Hainan province requires airports, wharfs, train stations and metro stations to check passengers’ PHI codes. Shopping malls, supermarkets and other public places, including drug stores, are also required to check visitors’ PHI-codes before allowing them to enter. Individuals with yellow codes are being denied entry while those with red codes are reported to local community authorities.
Senior citizens or children without smart phones are required to either have their family members present their codes on their behalf, obtain a print-out of the health code (which will be valid for 14 days) or to obtain a health certificate from a local hospital or clinic.
On 22 May 2020 one local government proposed to implement a PHI-code system that would not only display the green, yellow and red code, but also a numeric score representing an individual’s overall health condition. The score will take into account various health factors such as the number of steps an individual takes per day, their consumption of alcohol and even the amount of sleep they are getting.
Diagrams published with the proposal suggest that the app could be used to generate an aggregated score for organisations based on factors such as the average number of steps employees take per day and the proportion of employees that have undergone an annual physical exam, and that this could in turn be used to rank the overall health and fitness of that organisation’s employees with other organisations in the region.
As mentioned in our second blog post, the Central Cyberspace Affairs Commissioned issued a Circular on Ensuring Personal Information Protection and Utilisation of Big Data to Support Epidemic Prevention and Control on 4 February 2020. The circular states, among other things, that data collected for controlling the epidemic should not be used for another purpose. The circular expressly requires local governments to comply with the personal information security specification, which requires, for example, personal data to not be stored for longer than necessary.
As explained in our previous post, the Singapore government has deployed two separate apps for the purposes of tracking and preventing the spread of COVID-19. TraceTogether is a contact tracing app that individuals are encouraged but not required to use. SafeEntry is a 'national digital check-in system' that is being deployed on a mandatory basis and stores data on a centralised basis in a government server.
All businesses in Singapore must deploy SafeEntry for their 'employees, associates and vendors' (although the last two groups are not elaborated on). In addition, facilities such as workplaces, schools, malls and hotels are now also required to deploy SafeEntry to screen visitors to these premises.
The use of SafeEntry is not mandatory at places such as MRT stations and parks, where transient populations are on the move. But the public is still encouraged to check-in using SafeEntry to facilitate contact tracing.
While Singapore’s Personal Data Protection Act (PDPA) contains restrictions on retaining personal data for longer than necessary, the PDPA does not apply to public agencies or organisations acting on behalf of public agencies. This means that there is no formal legal restriction on the length of time for which the government may retain the data.
However, the SafeEntry team has pledged to purge data when it is no longer needed for contact tracing purposes. The SafeEntry website notes that public officials could be sanctioned under administrative rules if data is recklessly or intentionally disclosed, misused for gain or re-identified after anonymisation.
Individuals in Hong Kong are generally not required to install apps for contact tracing unless they are subject to compulsory quarantine.
An individual who is under compulsory quarantine is required to install and activate the StayHomeSafe app in order to register the accompanying tracking wristband. The app uses geofencing technology (rather than exact geolocation) to reduce the privacy footprint.
People in quarantine will be required to keep the app running and enable the Bluetooth, Wi-Fi and location functions on their mobile devices.
The government’s handling of the personal data collected is subject to the Personal Data (Privacy) Ordinance, as discussed in our earlier posts. In comments made to the 53RD Asia Pacific Privacy Authorities Forum, held virtually on 3 June 2020, the Privacy Commissioner stated his view that it is '[l]egitimate and proportionate for the Government to collect and use personal data of […] patients, confines and their close contacts with a view to ensuring public health and safety'. The Commissioner considers the Hong Kong government’s approach in general to strike a good balance between the competing interests of privacy and information transparency.
The Hong Kong government announced on 1 June 2020 that a new health code system separate from that of mainland China will soon be launched to certify the health status of residents in returning from Macau and Guangdong in the Greater Bay Area.
The authorities in Hong Kong, Macau and Guangdong are currently discussing health screening procedures to recognise each other’s health code system and exempt certified individuals from quarantine requirements - a form of travel bubble.
The government is expected to announce a detailed plan on this new system in early June. It is understood that the underlying health data will not be shared between governments.
As discussed in our second blog post, the Japanese government has announced a plan to deploy a contact tracing app that uses Bluetooth signals to track individuals who have come into contact with persons who subsequently test positive for COVID-19.
The government is expected to announce further details of the app shortly. We will update this post once further information is available.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?
In comments made to the 53RD Asia Pacific Privacy Authorities Forum, held virtually on 3 June 2020, the Hong Kong Privacy Commissioner stated his view that it is “[l]egitimate and proportionate for the Government to collect and use personal data of […] patients, confines and their close contacts with a view to ensuring public health and safety”.