The World Health Organization, a few months ago, declared COVID-19 a pandemic. Countries have resorted to technological tools to curb the spread of the virus. Technological advancement has been a blessing to the human race. Its impact in the health sector cannot be overlooked. Sophisticated machines are used in surgical procedures and mobile applications are being used for contact tracing. New health protocols require a level of intrusion on individual rights to secure the interest of the majority. However, there is a category of rights, which must not be unduly restricted. One such is the right of privacy.
Information on a person is as useful as the person itself. Justice Bran in Olmstead v. the United States describes the right to be left alone as “the most comprehensive of rights valued by civilized men”. Article 17 of the International Covenant on Civil and Political Rights (ICCPR) provides that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.” General comment (No.16) of the Human Rights Committee elucidates on the right to privacy. State parties under ICCPR must ensure that personal information stored on computers, data banks, amongst others, are regulated by law. Also, special measures must be put in place to prevent information stored from getting into unauthorized hands.
The right to privacy, like many others, is not absolute. The Universal Declaration of Human Rights (UDHR) in article 29 clarifies that everyone has a duty to others in the community; thus, everyone is subject to such “limitations as are determined by law solely to secure due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.” Likewise, Article 4(1) of the ICCPR permits states to derogate from some rights during an officially proclaimed public emergency that threatens the nation’s life. However, such derogation must be to the extent strictly required by the exigencies of the situation. Even in a public health emergency like COVID-19, any unlawful or arbitrary interference, which exceeds what is necessary to protect public health, is a violation of the right to privacy.
Also, the right to health is a fundamental human right recognized in international and regional treaties. Everyone has the right to the enjoyment of the highest attainable standard of physical and mental health. The realization of the right to health, as stated by Committee on Economic, Social and Cultural Rights (CESCR) General Comment No. 14, is “closely related and dependent on the realization of other rights,” such as the right to privacy. The Committee expressed that although derogation is permitted under the Convention, the limitations imposed by member states must be proportional and the least restrictive alternative must be adopted where several types of limitations are available.
In 2019, the Task Force on Privacy and the Protection of Health-Related Data under the auspices of United Nations Special Rapporteur on the Right to Privacy published guidelines on the processing of health-related data. The recommendation affirms the right of all individuals to “privacy and the confidentiality and protection of their health-related data in electronic health record (EHR) systems”. Similarly, chapter ten provides that “any use of mobile applications must be accompanied by security measures that provide for the authentication of the person concerned, including measures such as the encryption of the transmitted health-related data, and the user or patient information standards on how the health-related data that is collected will be used.” Paragraph 22.5 also provides that “any external hosting of health-related data produced by mobile applications must comply with security rules providing for the confidentiality, integrity, access, and restitution of the data upon request of the data subject”.
In essence, the right to privacy is intrinsically linked to the right to health. As a result, even during public emergencies like COVID-19, the right to privacy must still be respected in upholding the right to health.
Contact tracing is a traditional health technique used in previous pandemics. However, COVID-19 posed a difficult challenge because it had a high contraction rate. Innovative technology companies seized the opportunity to save the day. When contact tracing apps were introduced, privacy concerns were not raised immediately. The primary concern of many was public health. In March, Singapore introduced a contact tracing app called “Trace Together,” and “Asrogya Setu” in India. Most contact tracing applications use Bluetooth or GPS and when two users of the application meet, their phones record that contact. If one of them becomes infected with COVID-19, the application notifies the other person to either self-quarantine or report to a health facility.
The untold truth is that contact tracing apps have access to health records and other personal information like home addresses, train tickets, bus tickets and even credit-card details. An ethical hacker called Elliot Alderson in India exposed the privacy risk posed by contact tracing applications. He claimed that he used the Asrogya Setu contact tracing application to access sick people’s information in private homes, including that of Prime Minister Modi of India.
Another primary concern is that data collected may be kept indefinitely and used to spearhead a government surveillance system after COVID-19. Contact tracing applications must be closely monitored by states and secured to prevent hacks and leakages. Likewise, citizens must be allowed to request for their data to be removed post-COVID-19. The permanent storage of personal data or the same usage for any other purpose without consent would violate the right to privacy of persons using these applications.
The right to privacy must be enjoyed online and onsite. Derogations are permissible for the right to privacy in public health emergencies. However, the right to health is directly linked to privacy. As a result, states cannot escape upholding the privacy of its citizens by invoking derogation clauses. Adequate security measures must be used to prevent the leakage of health-related data, and less intrusive alternatives must be utilized in tracing suspected COVID-19 patients.