Background
In March 2020, the World Bank declared COVID-19 as a global Pandemic prompting governments and health officials to take precautionary measures to curb the spread of the virus. Some of the measures put in place require an aspect of mass surveillance in order to map out close contacts who may have interacted with an infected or a potentially exposed person.

The contact tracing requires the collection of data ranging from contact information to health data as well as location of an individual and those around them using technology. The collection of the data increases the likelihood of abuse of the right to privacy enshrined under the constitution of Kenya, 2010 and reinforced under the Data Protection Act, 2019 (“the Act”). The Act allows for the processing of data by a healthcare provider or a person subject to the obligation of professional secrecy under law under the condition that it is for public interest and is carried out by a person who owes a duty of confidentiality under law.

Applying the Data Protection Act to Contact Tracing
The Guidance Note provides direction on how innovations built in response to the Pandemic may request for access to personal data from government institutions or private entities to enable product development. This is important as:

• The contact tracing as well as collecting data for purposes of COVID and research throughout 2020 lacked clear legal guidance and express safeguard in the event of breach.
• There has been prevalent ignorance on the application of the Data Protection Laws to the health bodies and government institutions and private entities on how the personal data is stored, collected and shared.

Applying the Data Protection principles
It is notable that the Guidance is made in line with the Data Protection Principles provided for under the Act and provides that:

• parties wishing to process personal data relating to the detection, containment and prevention of the spread of Covid-19 do so in line with the principles of data processing as provided for under the Act.
• the data collected should only be applicable and limited to the purpose for which it was collected.
• The data should not be kept for long periods than necessary for contact tracing and reporting.
• The personal data collected should be processed securely to retain accuracy in its entire life cycle.
• When aggregating and reporting COVID statistics, data should also be in an anonymized format and in a manner that individuals cannot be re-identified. Moreover, it should only be accessible to those that require the information to conduct treatment, research or other responses suitable to address the Pandemic.
• Persons that have access to the personal data are expected to be responsible for its protection and demonstrate that they have put in place a proactive mechanism to safeguard the personal data appropriately.
  Those in possession of the data may also be called upon by the Data Protection Commissioner to demonstrate compliance to the Act.
• Persons requesting for the personal data are also expected to enter into a data protection and sharing agreement with the entity or person having control of the personal data.
  

Requests for Information
Applications requesting access to personal data, the concerned person shall publish policies on what information is being collected and with whom the information may be shared. Also data kept for a longer period should be non-identifiable information.

Guidance for Public Entities
For public entities, requests for personal data should be channeled through the relevant agencies. For instance:

• health data will be sourced from the Ministry of Health;
• telecommunications data from the Communications Authority of Kenya;
• transport data from the National Transport and Safety Authority, among others.

Data Sharing
Data sharing between parties has to be guided by:

• a valid agreement including nondisclosure agreement;
• data confidentiality and safeguard provisions; as well as
• the data destruction technique to be used; and
• data protection impact statement based and a data responsibility matrix, subject to approval by the Office of the Data Protection Commissioner.

Consent
Consent must be sought in the sale of the personal data or when transferring it out of the country. Transfer of the data to other countries may only occur if there is sufficient proof on the appropriate safeguards in regards to the security and protection of the personal data.

Data Request Template Form
The Guidance note provides a Data Request Template Form for data requesters to collect the data from individuals subject to their consent. The Form details questions geared towards reinforcing the provisions of the Act. For instance, a requestor will be required to provide:

• ‘how long’ they will take to process the data,
• the purpose of the data and
• how the data will be kept among others.

The data requests are then to be forwarded to the right data holders/controllers for further processing.

Industry Sentiments
Kenya has joined a number of other African countries that issued Guidance on Data Protection during the Pandemic a while back. The countries include: South Africa, Senegal and Mauritius among others.
The Guidance Note reiterates the Act in regards to the procession of personal data. It however overlooks the distinction that the Act provides for in relation to:

• Personal Data,
• Sensitive Data and
• Health Data.

It is possible that the data collected for purposes of Covid-19 may touch on all three types of Data as some research and innovations may require a revelation of personal health status, as well as the state of health. It is widely reported that Covid-19 is seen to affect people differently depending on their health status as well as their health conditions (pre-existing or current).

Although the Guidance Note provides that the data collected should not be kept for long, it does not provide a specific period. Some health projects and researches may take years to materialize and the data can only be destroyed upon achievement of the specified purpose.

However, the best practices for destroying the data other than making it de-identifiable are not highlighted. The Destruction of data is complicated as merely deleting or destructing it may be insufficient as it can be recovered or reconstructed in a clear form.

Invitation for Comments on the draft “Guidelines on Access to Personal Data During Covid-19 Pandemic”
The Office of the Data Protection Commissioner, through the Covid-19 ICT Advisory Committee, has developed the Guidance Note on Personal Data Protection on Covid-19 Responses.
Stakeholders are invited to submit their inputs and comments and send them to the email address policy@odpc.go.ke. The deadline for submissions is in 21 days from the date of the advert (Jan 12, 2021).