Have we learned from the JamCovid App experience?

It was recently announced that on Monday, March 22, the Government of Jamaica(GoJ) will launch its web-based system for the registration and scheduling of appointments for persons who wish to receive coronavirus (COVID-19) vaccines. Further, it was reported that the Ministry of Health and Wellness signed a contract with Itelbpo Smart Solutions which has been engaged as the call centre for persons to register and make appointments for COVID-19 vaccines in Jamaica. Have the appropriate technical and organizational measures been put in place to safeguard the personal data of Jamaican residents that will be processed by this application and these third parties and avoid a repeat of the Jamcovid App incident?

The speed of national technology adoption is mind blowing and whether we like it or not at the end of this pandemic Jamaica will come out at the other side a country well on its way to becoming a “digital society”. This is in no small part due to the intentional and deliberate policies of the government to leverage technology solutions to solve some of the immense challenges we face with Covid 19.

The JamCovid App is a successful demonstration of the significant and direct impact a technology solution was able to have on our economy by making it easier and safer for the government of the day to open up its borders and salvage a fraction of the tourist dollar. In implementing the solution however, expediency took priority over data privacy and the resulting fallout is now apparent for all to see.

Has the GoJ learnt its lesson now that they have experienced the fallout of the publicizing of the vulnerabilities of the Jamcovid App, which left residents’ sensitive personal data exposed? Has the Ministry of Health, notwithstanding that the application is being provided by an international organization, completed the requisite due diligence and risk assessment on the application as it relates to how it processes the personal data of Jamaican residents and shares the personal data between third parties? Already we know that there are at least four stakeholders that would access the personal data processed by this application. We have the Ministry of Health and Wellness(MoH), the software provider, Itelbpo Smart Solutions and the vaccine service providers. I am sure the data is being shared with other stakeholders that we are not aware of.

Let us be clear, leveraging software solutions such as these is not only necessary but the only way, in this information age, the GoJ can be viewed to be efficiently implementing this national inoculation exercise. It is evident that the lawful basis for processing the data in this manner would be that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Notwithstanding the necessity and the lawfulness of the processing, the MoH is obliged to ensure that the requisite measures are in place to safeguard the personal data of citizens when processed in this manner.

The issue of whether the appropriate safeguards were in place to protect the privacy rights of French citizens who were also being required to use an online appointment system to book appointments to receive Covid vaccinations came up for consideration as recently as last week, on March 12, 2021, in the the Conseil d’Etat — France’s highest administrative court.

The Conseil d’Etat court ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. Importantly, the judge noted that technically the data hosted by AWS is encrypted and the key is held by a trusted third party in France, not by AWS, to prevent data from being read by third parties. The court also took into account that the data hosted relates only to the identification of individuals for the purpose of making appointments.

Moreover, the court noted data is deleted at the latest after a period of three months from the date of the vaccination appointment meeting and individuals are also offered the possibility to delete their data directly online if they wish. Under these conditions, the court ruled the level of protection of the data at stake is sufficient.

Has the Ministry of Health assessed the risks to Jamaican’s privacy rights in implementing the solution? Or more specifically, has a data protection impact assessment been conducted? There are a number of specific issues that the MOH ought to have addressed their mind to:

• If so, what is the logical flow of data between the Vaccine Information System and the various other systems and stakeholders who will participate in the end-to-end process?
• Have the roles of all the parties who will provide data or have access to data processed by the system been identified i.e. who is the data controller, who is the data processor?
• Are contracts in place between the parties which set out the processors’ obligations and controllers’ obligations and rights with regard to the personal data that is being processed?
• What are the data types being collected and have retention policies been established for the separate data types?

Has the MoH identified the potential risks associated with processing the personal data in the proposed manner? We have identified just 4 of the numbers of risks that will arise:

• Risk of insecure methods of data transfer used that allow access to patient data, or any other data transferred to the third party.
• Risk of the system being hacked to obtain patient information.
• Users are not given sufficient information about how the system works, what data will be collected and for what purpose in a comprehensive way.
• The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.

Having identified these risks the appropriate controls have to be implemented to remediate the risks.

Not only is the above a nice to do, it is what is actually required under the Data Protection Act. Conducting a Data Protection Impact Assessment should form an integral part of the project planning phase and if it was not done already because of expediency it is not too late to back track and put our house in order. These data privacy issues are not new, as far back as November of 2019 we published an article in the Jamaica Observer that foreshadowed these issues.

It is essential that this online scheduling system guarantee the security and privacy of personal health information. The public will rightly expect that to be the case. The system ought to be hosted in accordance with the appropriate standards for protected personal health information, i.e. security/encryption, disaster recovery, confidentiality and privacy practices and policies based on pertinent laws or regulations that protect subjects whose data are recorded in the system. Let us demonstrate that we have learnt from the valuable lessons that we have been taught.

Chukwuemeka Cameron is an Attorney with a Masters in Information Technology and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and build trust with your customers. Feedback can be sent to ccameron@designprivacy.io