- App will help both citizens and govt. to stay informed
- SL has no Data Protection Act or health privacy legislation
- Justice Minister to consider formulating guidelines
As a means of contact tracing to curb the COVID-19 spread, the government recently launched its ‘Stay Safe Sri Lanka’ project, effective from this week as per official announcement. But businesses, government offices and other locations as well as the public are still getting used to the app. While some feel it’s an easy way to enter information without touching pens and books,others feel their personal information may not be secure anymore.
Utilising personal data
The Policy also states that personal data will be used for the following purposes:
- Effective management of the COVID-19 pandemic.
- Provide and maintain the service, including monitoring the usage of the service.
- Manage a user account – personal data that has been provided will give users access to different functionalities available to the user including consular services
- Contacting users via email, telephone calls, SMS, or other equivalent forms of electronic communication, provide updates or informative communications related to the functionalities, services, including the security updates, when necessary or reasonable for their implementation.
Info will be stored in the cloud: ICTA Chairman
The Stay Safe Sri Lanka digital app was designed by the Information and Communication Technology Agency of Sri Lanka (ICTA) which comes under the purview of President Gotabaya Rajapaksa. “The basic idea is to minimise people gathering,” explained ICTA Chairman Jayantha De Silva. “It takes only two seconds for a person to register using the QR code. They have to provide their NIC number, name and contact number. Once registered, a person will be notified about his COVID status with the red, amber, and green QR codes. If it’s a COVID patient or is someone who has been in quarantine, the organisation will be notified. In the case of an asymptomatic patient, and given that they test positive five days down the line, all first and second level contacts will be informed.”
“We researched about the app for six months. It could be done using GPS, blue-tooth and other technologies. But in Sri Lanka we need to focus on the cultural and economic standards of people and how much technology they can use. With that in mind, we derived a system which could be utilised by a majority of people,” he added.
When asked how people without smartphones could use the App, he said those who have smartphones could go to a shop, scan the QR code and register. “They will then be notified if they are free to go in. Those who don’t have smartphones could send an SMS with their NIC number to register. If you don’t have a smartphone or a mobile you can provide details to the security guard at the venue and they will register you.” According to Mr. De Silva, all information will be stored in the cloud, and only few people have access to it. The App would help both the government and citizens to stay informed. He said once a vaccine was found, this system will allow the government to prioritise people who needed the vaccine urgently. “We cannot trace contacts manually now.”All businesses, government offices, places of worship and public transport services must be registered on the app.
No data protection laws
“Sri Lanka doesn’t have a Data Protection Act, but every country doing trans-border data transferring should go in line with the 95/46/EC Data Protection Directive,” opined Prof. Prathiba Mahanamahewa, Attorney-at-Law, former ICT Law Committee Chairman, Sri Lanka Bar Association and Advisor to ICT Law Curriculum Committee, West Indies.
“But this is in the case of transporting data. But if they are uploading data to local servers they should specify the data retention period and purpose. There’s a little bit of risk in collecting data online and offline, but the government has stressed the purpose of collecting data is to trace patients and protect people. But if the data is shared and matched with other parties, nobody can file civil legal action. However there could be a Code of Conduct.” He added while health data is sensitive, the Health Insurance Portability and Accountability Act (HIPAA) is effective in the US. “However, there’s no privacy legislation in Sri Lanka. But according to the Right To Information Act, you cannot obtain data from a subject without his or her consent. Therefore a disclosure notice could be included.”
“They claim data is stored in a cloud, but where is this cloud?” asked Prof. Mahanamahewa. “After the pandemic what will they do with this data? Who’s monitoring the data? Someone could hack it if it is not properly protected.”
Prof. Mahanamahewa also stressed on Sri Lanka’s Common Law. “In Sri Lanka there’s a law of delict, based on law of negligence which covers citizens’ privacy offline. Now your personal data will be everywhere. There’s a possibility of getting a host of spam emails. We do not have a Spam Email Act like in the US. Therefore data collectors should be trained on how they will obtain data.”
When asked about the pending Data Protection Bill, Prof. Mahanamahewa said a Bill was not enough. “It has to be published in the gazette, open for people to challenge, have first, second and third hearings etc. Rather than a Bill, a policy is more valid. But what could be done is to get the Justice Ministry to formulate a set of guidelines on protecting the personal data of citizens during this period.”
Will consider formulating guidelines: Justice Minister
When contacted, Justice Minister Ali Sabry said he would look into formulating guidelines to ensure that citizens’ personal data is protected and not misused by any party.
Although the government announced the COVID-19 safety tracing system would be introduced earlier this week, many places are yet to implement it. Sharing their concerns and experiences with Daily Mirror, a few users had this to say:
ID theft and privacy
“ICTA has not addressed privacy issues. The government has militarised everything including issuing NICs. How are they storing sorting ensuring anonymity of the data they carry? The level of incompetence, callousness and high handedness is scary. They launched https://niclookup.drp.gov.lk/ with massive fanfare, but it doesn’t work.
They put very little thought into these. What right does anyone have to look up my NIC details? There are private entities that make more of an effort to safeguard our data than the government does. Sadly very few including my parents, friends and colleagues etc. know or care about the dangers of ID theft and privacy.” - Shawn Fernando
Third-party servers and encryption doubtful
“The initiative is excellent, but it looks like they have rushed and not looked at examples followed by other countries. “Overall, the apps done by Australia and the UK promote and ensure protection of user information to the uttermost point, and they give the user the option to delete any information stored in secure databases fully after removal of the app.
“Apart from that Helakuru is a third-party app and they have a QR code enabled for us to check-in. Helakuru being a third party, how do they protect user information? There are unanswered questions like; do they transfer user information through Helakuru servers, and what level of encryption do they use?
- Dilith De Silva
“I believe it’s a great initiative from ICTA. Even most of the western countries don’t use that sort of extensive technology to track venues. I think this technology will be used by other countries as well. Regarding data security and privacy, the Stay Safe system is using Lanka Cloud without using a third-party cloud vendor such as AWS, GCP, or Azure. This is a good move.” - Supun Sandeeptha
More awareness needed
“Although it’s a great initiative, I think authorities should advertise this more through the media for at least a few weeks. The majority of Sri Lankans still find it challenging to use these new technological apps. I am from Kandy and haven’t seen businesses using this yet. This is why more advertising is needed to highlight the benefits.” - Milantha Ekanayake
What about confidentiality?
“What is the guarantee the info we give is 100% safe, when our mobile numbers are accessed during elections to send election garbage to us even though we are assured by the mobile company that our numbers are kept confidential?” - Sharon Anne Gomez
“Those who have a smartphone need a QR Reader.Without that this thing is useless. The developers should put up an app with the QR Reader to make it easier. There is no way you can register via SMS.When you send an SMS it just responds a link to the site. It’s not user-friendly at all.” - Abu Yusuf