Have we learned from the Jamcovid app experience?Wednesday, March 24, 2021
IT was recently announced that on Monday, March 22, 2021 the Government of Jamaica will launch its web-based system for the registration and scheduling of appointments for individuals who wish to receive COVID-19 vaccines. Further, it was reported that the Ministry of Health and Wellness signed a contract with itelbpo Smart Solutions which has been engaged as the call centre for people to register and make appointments for vaccines in Jamaica. Have the appropriate technical and organisational measures been put in place to safeguard the personal data of Jamaican residents that will be processed by this application and these third parties to avoid a repeat of the Jamcovid app incident?
The speed of national technology adoption is mind-blowing and, whether we like it or not, at the end of this pandemic Jamaica will come out at the other side a country well on its way to becoming a digital society. This is in no small part due to the intentional and deliberate policies of the Government to leverage technology solutions to solve some of the immense challenges we face with COVID-19.
The Jamcovid app is a successful demonstration of the significant and direct impact a technology solution was able to have on our economy by making it easier and safer for the Government of the day to open up its borders and salvage a fraction of the tourist dollar. In implementing the solution, however, expediency seemed to take priority over data privacy and the resulting fallout is now apparent for all to see.
Has the Government learnt its lesson now that they have experienced the fallout of the publicising of the vulnerabilities of the Jamcovid app which left residents' sensitive personal data exposed? Has the Ministry of Health, notwithstanding that the application is being provided by an international organisation, completed the requisite due diligence and risk assessment on the application as it relates to how it processes the personal data of Jamaican residents and shares the personal data between third parties?
Already we know that there are at least four stakeholders that would access the personal data processed by this application. We have the Ministry of Health and Wellness (MoHW), the software provider, itelbpo Smart Solutions, and the vaccine service providers. I am sure the data is being shared with other stakeholders that we are not aware of.
Let us be clear, leveraging software solutions such as these is not only necessary, but the only way in this Information Age. The Government can be viewed to be efficiently implementing this national inoculation exercise. It is evident that the lawful basis for processing the data in this manner would be that it is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller. Notwithstanding the necessity and the lawfulness of the processing, the MoHW is obliged to ensure that the requisite measures are in place to safeguard the personal data of citizens when processed in this manner.
The issue of whether the appropriate safeguards were in place to protect the privacy rights of French citizens who were also being required to use an online appointment system to book appointments to receive COVID-19 vaccinations came up for consideration as recently as March 12, 2021 in the the Conseil d'Etat — France's highest administrative court.
The Conseil d'Etat court ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the European Union's General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from US authorities. Importantly, the judge noted that technically the data hosted by Amazon Web Services is encrypted and the key is held by a trusted third party in France, not by Amazon Web Services, to prevent data from being read by third parties. The court also took into account that the data hosted relates only to the identification of individuals for the purpose of making appointments.
Moreover, the court noted data is deleted at the latest after a period of three months from the date of the vaccination appointment meeting and individuals are also offered the possibility to delete their data directly online if they wish. Under these conditions, the court ruled the level of protection of the data at stake is sufficient.
Has the MoHW assessed the risks to Jamaicans' privacy rights in implementing the solution? Or, more specifically, has a data protection impact assessment been conducted? There are a number of specific issues that the MoHW ought to have addressed their mind to:
• If so, what is the logical flow of data between the vaccine information system and the various other systems and stakeholders who will participate in the end-to-end process?
• Have the roles of all the parties who will provide data or have access to data processed by the system been identified; that is who is the data controller, who is the data processor?
• Are contracts in place between the parties which set out the processors' obligations and controllers' obligations and rights with regard to the personal data that is being processed?
• What are the data types being collected and have retention policies been established for the separate data types?
Has the MoHW identified the potential risks associated with processing the personal data in the proposed manner? We have identified just four of the numbers of risks that will arise:
• risk of insecure methods of data transfer used that allows access to patient data, or any other data transferred to the third party;
• risk of the system being hacked to obtain patient information;
• users are not given sufficient information about how the system works, what data will be collected, and for what purpose in a comprehensive way; and
• the sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.
Having identified these risks, the appropriate controls have to be implemented to remediate the risks.
Not only is the above a nice to do, it is what is actually required under the Data Protection Act. Conducting a data protection impact assessment should form an integral part of the project planning phase, and if it was not done already — because of expediency — it is not too late to backtrack and put our house in order.
These data privacy issues are not new. As far back as November 2019 I wrote a column published in the Jamaica Observer that foreshadowed these issues.
It is essential that this online scheduling system guarantees the security and privacy of personal health information. The public will rightly expect that to be the case. The system ought to be hosted in accordance with the appropriate standards for protected personal health information — that is, security/encryption, disaster recovery, confidentiality and privacy practices, and policies based on pertinent laws or regulations that protect subjects whose data are recorded in the system.
Let us demonstrate that we have learnt from the valuable lessons that we have been taught.
Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, privacy practitioner, podcaster, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or firstname.lastname@example.org.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at https://bit.ly/epaper-login