Technology and the containment of COVID-19

Authors / contacts: Karim Derrick


Only a few weeks ago I talked about data privacy in the context of the website Clearview. Clearview set out to use social media images to create the world’s biggest photographic database of individuals, many times bigger than the databases maintained by US security agencies. I made the point that whilst Clearview’s aims are honourable, the risk and fear is the consequence of the database in the wrong hands.

That privacy quandary now pales in comparison with what the globe faces. Covid-19 is likely to be the biggest crisis the world has faced since World War Two. With the possibility of deaths that run into the millions, governments across the world have acted to limit the likely economic devastation that will follow weeks if not months of suspended economic activity.

Data is king: countries that have collected and used it effectively have contained the crisis in a manner that has eluded much of the rest of the world.

Data is king

In amongst the unfolding COVID-19 emergency, South Korea stands out as having almost effortlessly succeeded in controlling the outbreak within its borders through the application of a technology. That technology, like Clearview, presents a range of legislative, ethical and technical issues. These issues present themselves because once again in our modern world, data is king: countries that have collected and used it effectively have contained the crisis in a manner that has eluded much of the rest of the world.

Technology from South Korea

The South Korean government’s ‘trace, test and treat’ strategy is made up of two key approaches. The first centres around government public reporting of each and every infection. Each infection is investigated regionally and then publically reported by a variety of means including website, SMS and app. The reporting is incredibly detailed showing every movement made by the infected individuals since infection with precise locations and times (Fig 1). The data shows which shops they visited, what transport they used, when and if they were wearing a mask, where they ate, where they drank. The data is captured using a combination of means including surveillance camera footage, credit card transactions and mobile phone usage.

By making the data open for public consumption, enterprising individuals have found ever more efficient ways of presenting the data to provide greater utility. Overlaying the data onto maps is one obvious route – providing the same data via mobile phone apps that automatically alert individuals to the location of those people who are infected. If people believe they may have had contact or been in close vicinity of the infected individuals, those people are encouraged to be tested. This means that the finite testing resource is concentrated on those most likely to be infected, with or without symptoms

The second approach is to ensure that those that are infected with mild symptoms are equipped with apps that ensure quarantine and facilitate regular contact with monitoring staff. This app isn’t just used by locals; anybody and everybody flying into the country is required to quarantine and use of the app is mandatory. Between both apps, South Korean authorities have detailed real-time data about each and every infection in Korea. So far that has meant the outbreak has been controlled in a way no other country in the world has managed to replicate.

Technology from China

China’s use of technology has been perhaps more fragmented but still effective. Wuhan’s health-check app is designed to flag possible carriers of Covid-19 with a health code on the app used to indicate those that are undergoing quarantine: red indicates that the user is undergoing 14 days of quarantine. Yellow means lower risk and 7 days of quarantine.

Everybody wishing to move around the city is required to show their app at checkpoints and present a green code. Drones have been employed on road routes where drivers must show the colour codes to the drone in order to gain access to certain parts of the city.

The Economist suggests that data surveillance systems and approaches to Covid-19 in China are not as joined up across the provinces as one might assume.  Data from Smart Phones and facial recognition cameras has been widely reported as having been used to identify those that threaten the Chinese state. However, it would seem that such efforts have tended to be provincial and that there is poor sharing of data between provinces or companies.

In Taiwan mobile phone tracking has been used to ensure people who are in quarantine stay in their homes. By monitoring the mobile phone signals authorities are alerted when people leave their homes or turn off their phones. Officials will visit those that trigger an alert within 15 minutes.

In Singapore a contact-tracing smartphone app has been launched to allow the local authorities to quickly track people who have been exposed to confirmed Covid-19 cases. TraceTogether  identifies people who have been in close proximity with the infected using wireless Bluetooth technology. Again this means that the authorities are then better able to focus their testing.

Legislative background to South Korea’s success

So why is it that Korea in particular have been so far ahead in the race to control Covid-19? To a huge degree, Korea’s story begins with the 2015 MERS outbreak, which was poorly managed and cost the country many hundreds of million dollars in lost tourism revenue.  Throughout the crisis the Korean population were left in the dark about who was infected or which hospitals had cases. The government did not release the information for two reasons – first for fear that disclosure of patients’ private information could violate medical ethics, and second, for fear of promoting the potential economic damage for hospitals and other private businesses.

Consequently, following MERS , public disclosure provisions were added to the Infectious Disease Control and Prevention Act. The legal framework for Korea’s disease-prevention policy included a new law that allowed laboratories to use unapproved in-vitro diagnostic kits in the case of a public health emergency. On February 4, as Covid-19 landed, the Korea Centers for Disease Control and Prevention took advantage of the post-MERS reform and authorized an unlicensed Covid-19 test which enabled the government to lead the world in Covid-19 testing volumes almost from day one.

Testing however is only one part of the story. The Personal Information Protection Act (PIPA) in South Korea, like the GDPR in Europe, imposes strict compliance requirements on entities that collect data that could be used to identify a specific person. Individuals also have the right to be forgotten, among other data ownership rights. However, while all organisations are required to comply with PIPA, government agencies that require personal data for public interest purposes can collect and use data without the need to obtain consent. It is this exception that has enabled the South Korean’s government to collect, process and widely disclose personal data. In turn, health authorities have been enabled to conduct contact-tracing with amazing precision. Moreover, when the infected receive an order from a medical center in South Korea to quarantine, those orders are legally binding; breaking quarantine can mean prison.

In Europe, specific data processing exemptions for epidemic response exist under GDPR, although they are of little use in relation to, and do not allow for the unfettered dissemination of, ‘special category’ health data where the individual in question still has capacity – not of much use when tracking COVID, many of whom are asymptomatic in the critical early days when they are most likely to spread infection. Other provisions allow for the sharing of health data without consent only if necessary for reasons of public interest in the area of public health. But, navigating the multitude of exceptions to GDPR exemptions can be tricky and given the level of fines that can be imposed for falling short of the GDPR – let alone the reputational damage bad data practices can bring –  this may explain how businesses remain hesitant to take the enterprising leaps that have been seen in South Korea, even despite recent guidance from the European Data Protection Board recently on data sharing and processing during this crisis. 

Human-rights concerns

South Korea has enjoyed substantial support for the extraordinary disclosure of private information illustrated above and as supported by recent government surveys. However – there is widespread concern across the globe that the pandemic will prove to be a precursor for covert erosion of data privacy controls. Israel has been criticised for railroading emergency laws that allow the state to use mobile data for COVID contact tracing. Sapiens author Yuval Noah Harari has written that in moments of crisis decisions taken in hours readily become permanent fixtures when the crisis passes. The Coronavirus Bill in the UK, as an example, provides for powers that may last up to two years. Today technology has enabled the possibility of surveillance on an unprecedented scale. Yuval speculates that over the skin surveillance of our movement pre-Covid could quickly become under the skin surveillance post-Covid, via the wearing of biometric bands. Such bands, which are more advanced than the fitness watches many of us already wear, could be used to better monitor our health via temperature and thus infer infection and track an outbreak.  Monitoring measurements like these can indeed be used for public good. However, the issue of concern is around how else they could be used. Might that include monitoring public response to a political speech or government policy? Or even for automating the application of force where emotional responses to events are undesirable?

UK Strategies

In the UK even the limited data that we have is drawing criticism. Where other countries will provide detailed data on gender, age and specific underlying health conditions, UK data is much thinner on detail and suffering from lag. For example on the 29th of March 159 deaths were reported, but subsequently it transpires that there were at least 463.

In respect of track and trace measures similar to those adopted by South Korea, since they were not adopted at the beginning of the outbreak in the UK the sheer volume of infections now make it impractical. There are reports that the UK government is in talks with mobile phone providers and tech firms including Google to use phone location data to monitor the COVID-19 outbreak. And in recent days reports have started to emerge around an app being developed by NHS-X that will facilitate track and trace once the outbreak is under control and the growth in infections becomes more manageable. The appears to use bluetooth and has immediately raised privacy concerns.

Businesses and other institutions can also use off the shelf technologies like the Kennedys IQ Platform to track employees who are isolating either because they themselves are showing symptoms or because family members are doing so. Our Incident Manager tool has been adapted to provide a lightweight mobile tool for reporting symptoms back to a client dashboard that provides a real-time summary of infection and employee availability across a business. We are offering this IQ Platform feature for free to non-profit organisations. We are also looking to use mobile phone’s GPS data to help insureds positively volunteer location data in the days ahead of infection to facilitate similar track and trace functionality offered in South Korea.

There is little doubt that data holds the power to help manage any future outbreak and indeed to help secure the end of this one.  However, the potential for unintended consequences cannot be ignored.  Whilst legislation has a vital role to play in ensuring a safe and ethically sound framework, legislation is ultimately the slave of a country’s policymakers. Given the extent of the anticipated economic impacts of COVID-19, one should watch closely how the global policymaker stage responds.

Related news and insights