Commuters using public transport have voiced their concerns that in the absence of a data protection and privacy law providing personal details in buses could expose people to the risk of data breach (AFP)
Ever since news broke in October of the first community case in two months and more COVID-19 clusters began emerging throughout the country, it has become common to see supermarkets, restaurants and even buses record people’s personal details. While this seeks to aid contact tracing it has raised privacy concerns among many, especially women.
Voice of the people
On social media, people shared their views regarding the matter. “The conductor of the bus I’m on is passing a CR book and pen for all the passengers to write down their names, addresses and mobile numbers,” tweeted one user. Another replied, “Passing a CR book and pen itself is harmful, which can spread the virus one person to another.”
If the general public themselves can maintain a record of the public transport they used the authorities would appreciate it
Speaking to Daily Mirror, physics teacher Erendra Chrysanthus opined that this method of data collection was useless. “Data collection is important for contact tracing, but this method is useless. Manual contact tracing is almost impossible. If a simple app is developed to track movement, it would be more efficient and make contact tracing easier and quicker,”said Chrysanthus. He noted communication providers could use their towers to track users’ movements. This system covers every Sri Lankan, regardless of whether he or she used a smart phone or not.
If a simple app is developed to track movement, it would be more efficient and make contact tracing easier and quicker
Medical student Jinali Rodrigo said that she would feel confident giving out personal details to an established institute, but not to other places. “I think an app will be useful, something like the NHS app in the UK. Such an app will help people know what places are at risk, so they could avoid those places,” she opined.
Noting that android and iOS devices already had a built-in contact tracing app, Dhivaagar Kumarawel suggested these could be used. “They have reasonable privacy precautions built in, so why not use the tech we have right now?” asked Kumarawel.
I think an app will be useful, something like the NHS app in the UK. Such an app will help people know what places are at risk, so they could avoid those places
Nuzaik, a twitter user, suggested that unique codes could be displayed in buses for passengers to send a text using that code to a hotline. He added that this could include other establishments like malls, public places and offices. “A QR code too could be used, but it could be less feasible as it is non-applicable to non-smartphone users, and only one person can scan at a time,” said Nuzaik. He said that the manual system was a poor idea and unsafe for women.
While some cited privacy concerns others believed it was their duty to provide personal information. “We must cooperate by taking necessary precautions as per governmental guidelines. This virus is dangerous. It is our responsibility to cooperate and see the good side of data collection,” said Malki Ruhara, an undergrad studying law.
Meanwhile Amalini De Sayrah tweeted, “Women’s details already circulate too far without their consent, in groups of men waiting to send women all kinds of explicit advances, including soliciting them for sex. This method hands it to them on a silver platter.” Speaking to Daily Mirror, she noted women felt uncomfortable writing their personal details in books which could be accessed by unknown people. “People are suggesting women should leave fake numbers or write the number of a male relative. It’s disappointing that we need to look for workarounds when no thought was clearly given to safety and privacy by the authorities that developed these methods,” she said, adding that this method also stigmatised people for their movements and interactions.
Women are more likely to be worried about privacy than men. There are many untold stories of what women face when their privacy is threatened
“My phone number was taken by an establishment recently. The guy who messaged me addressed me by my name and asked if I went to work that morning in a saree,” said Hiruni Hettiarachchi, an undergrad. She added she had been getting nuisance calls and suspects a data breach.
Psychology graduate Shalindri Mendis said such harassment could harm mental well-being. “Women are more likely to be worried about privacy than men. There are many untold stories of what women face when their privacy is threatened. Assurance must be given at the point of collection that the information would be destroyed after a certain time, and wouldn’t be used without consent for any other purpose,” she suggested.
Personal details will be with the service providers and this database would only be accessible to the health officials.
Contact tracing apps and QR codes at public places and public transport were some alternatives shared on social media. Daily Mirror spoke to founder of Dawn Group, Shimar Ahamed. “Buses could have tablets or devices where the conductor records passenger phone numbers. The numbers connect to the network service provider, and the person’s movement is tracked in that manner. So personal details will be with the service providers and this database would only be accessible to the health officials. They will be able to access it when the need arises,” he said, adding this method could be used for other establishments as well.
Ahamed said depending on funding, the software for this could be made within a few weeks to months. He suggested a multi-purpose app where people could enter the details of their movements. “People could download the app and enter the data. However, there could be irregularities in this system if people forget to enter their data,” he said. The app could also track the virus spread and identify risk zones. Ahamed said if an app was made, the Government would have to make it mandatory for everyone to install it. However, this would not be feasible as everyone doesn’t own a smart phone, he said.
Commenting on the current system, he questioned the authenticity and integrity of the data. “How do we know if all this data is actually going to health officials? Data is being collected on papers and books everywhere. It is valid for someone to have privacy concerns on how this data is used,” he said.
The right to privacy is an important part of Common Law. There is a remedy against a breach of individual privacy
Data Protection Bill
Though the final draft of the Data Protection Bill was tabled in parliament last year, it is yet to be passed. Writer and media and entertainment lawyer Chanakya Jayadeva said privacy was not recognised as a fundamental right in Sri Lanka. “Certain constituents of privacy law are found in some Acts in Sri Lanka and in Common Law,” he said. The Computer Crimes Act was one such law, but it only covers cybercrimes. “The right to privacy is an important part of Common Law. There is a remedy against a breach of individual privacy found in the Common Law as an action for injury. But, this action is very restrictive as several elements have to be satisfied for it to succeed,” he explained. He added until a data protection and privacy law was available, there would always be a risk of data breach. He noted that without correct laws there was no assurance whether data collected was used for the said purpose and would be destroyed within a certain time period. “It is vital that the Government passes the Data Protection Bill, especially in this pandemic,” he remarked.
For 10-12 years we have been talking about data protection. But, I don’t see any action being taken by lawmakers
Sunil Abeyaratne, Co-Chair of Communications, Technology and Data Protection Subcommittee of the Law Association for Asia and the Pacific (LAWASIA) raised similar concerns. “The concept of privacy is not uniform. It differs from various countries and jurisdictions. The reason is the right to privacy and privacy law depends on the socio-economic, political and cultural background of a country,” he explained. He shared that right-to-information was also an aspect of privacy law, but had to be balanced with privacy policies and privacy laws. “For 10-12 years we have been talking about data protection. But, I don’t see any action being taken by lawmakers to enact a privacy law. So far the Data Protection Bill has not been passed,” he said. He added that the Bar Association of Sri Lanka (BASL) had held workshops and conferences on data protection and privacy laws.
Abeyaratne urged lawmakers to study the European Union’s General Data Protection Regulation (GDPR) and adapt it to the socio-economic, political and cultural context of Sri Lanka. “The GDPR states data must be collected only for the required purpose and only for a limited time period. There is also a limit to the data collected to maintain data accuracy. It also outlines how data should be processed and protects the privacy of subjects. Without such laws in Sri Lanka, an assurance cannot be given regarding data security,” he stated. He stressed since Sri Lanka had signed the Cyber Crimes Convention and the Budapest Convention the authorities had a national and international obligation to introduce data protection laws to the country.
We only requested public-private transport like taxis- Uber and PickMe- to collect data to aid contact tracing.
DIG Ajith Rohana
Public must cooperate - DIG Ajith Rohana
The Extraordinary Gazette published on 15 October 2020 and Regulation 94 of the Quarantine and Prevention of Diseases Ordinance enables an “institution or work place which provides essential services or any other services which is required for maintaining national security, national economy, public health or preventing the spread of COVID-19 in any diseased locality in relation to the COVID-19” to “maintain a record of the name, identity card number and contact details of every person entering the institution or work place.”
While Regulation 95, which specifically mentions supermarkets, shops, sales outlets and other places of businesses, has no provision regarding data collection, Police Media Spokesperson DIG Ajith Rohana said supermarkets have been asked to collect data.
“We never made a request for public transportation systems like buses or trains to collect data. We only requested public-private transport like taxis- Uber and PickMe- to collect data to aid contact tracing. When the need arises, they will have to provide us with the data,” he said, adding that this was done in response to the current COVID-19 outbreak in the country.
He revealed that the main source for the recent clusters had not yet been traced, so it was imperative that data is collected to help contact tracing. “If the general public themselves can maintain a record of the public transport they used and keep a record of their movements, we would appreciate it,” he said.
Regarding privacy concerns, he said that the main concept at this moment was to prevent and eliminate COVID-19. “We have to surrender all other concepts to this main concept. If we die, none of these concepts would matter. Therefore we need to live and eliminate the disease. Discussions are currently underway for alternative methods of data collection and to introduce a system in public transport. But for now I humbly request the general public to cooperate,” he stated.
Stay Safe digital programme
‘Stay Safe’ is a web-based app launched on November 9, designed by the Information and Communication Technology Agency (ICTA) which comes under the purview of President Gotabaya Rajapaksa. The app has been designed to help authorities with contact tracing, and the team of consultants included Shanaka Perera, Nuzhi Meyen, Christopher Adikaram and Kanishka Bandara.
Shanaka Perera said that the app had three different methods to gather data. “There is an option to scan the QR code. This QR code will be on the establishments that have registered for the app, and people can scan it. Once scanned, they are directed to a form where they fill out details like the NIC and phone number. When this is filled once, wherever they go and scan it, the form gets filled automatically. The second option is to send an SMS with the unique code of each establishment. For this, the user must register. After that they can continue sending SMSs. The third option is there will be a dashboard available with organizations to enter data,” explained Perera.
To register for the SMS option, one must type “SS REG ” and send to 1919. Perera added that organizations had to register via the website staysafe.gov.lk to receive the unique QR code. He noted expatriates could enter their passport number. The data collected would be stored for 60 days.
Regarding privacy concerns, CEO of ICTA Mahinda Herath said that the data would be stored securely in the Lanka Government Cloud, which is managed and operated by ICTA. “Government authorities and ICTA will have access to it,” said Herath. He said that this was compatible with any QR code scanner, and added popular mobile apps like ‘Helakuru’ and ‘My Health Sri Lanka’ have already started supporting the ‘Stay Safe’ campaign by recognising its QR code in their apps. He added that they were in the process of introducing this for public and private transport. “We are also in a process of developing our solution, so even schools can use it,” he said. The ‘Stay Safe’ app also notifies people via SMS, if they had been exposed to COVID-19.