Coronavirus: Giving out patient details - a case of serving public good or invasion of privacy?

In a photo taken on March 10, 2020, hospital workers track responses to the Covid-19 novel coronavirus at a situation room at a hospital in Daegu.
In a photo taken on March 10, 2020, hospital workers track responses to the Covid-19 novel coronavirus at a situation room at a hospital in Daegu.PHOTO: AFP

SEOUL - In highly-connected South Korea, people know immediately when a new coronavirus case emerges in their neighbourhood.

A government alert, accompanied by a shrill emergency alarm, will pop up on their mobile phones, giving details such as the new patient's age, gender and travel history.

Such public revelations have led to online witch hunts that disclose patient identities, triggering groundless speculations and cyber bullying when travel records unwittingly reveal some awkward truths, such as involvement in dubious religious groups.

As the coronavirus continues to wreak havoc around the world, causing over 120,000 infections, with Italy, Iran, South Korea and France among the worst hit outside China, where Covid-19 is said to originate, raising concerns about the infringement of privacy, stigmatisation and doxxing as patient data are scrutinised and dissected.

South Korea, which has reported over 7,800 cases of the coronavirus, insists that transparency is crucial in fighting a public health crisis and invokes the Infectious Diseases Act to do contact tracing using cellphone records, global positioning systems, credit card use and closed-circuit television camera footage.

But some critics have questioned the need to reveal so much personal information, and if public good comes at the expense of privacy.

A 46-year-old woman from the western city of Cheonan, who tested positive on Feb 27, drew so much flak after her travel history exposed that she is a member of controversial religious group Jesus Morning Star (JMS) that her husband filed a petition with the presidential Blue House calling for an end to the "indirect murder" of his wife.

"After my wife was diagnosed, I was ashamed and remained silent," he wrote. "However... I cannot stand the harassment any longer... The numerous comments and falsehoods disguised as real news are causing the total destruction of one's character."

In another case, two infected members of the same church in Busan were accused of having an extramarital affair after their travel history revealed that they spent a night in the same condominium resort on Feb 21.

 
 
 
 

Patient No. 31, a 61-year-old woman from Daegu, was widely condemned for travelling extensively and attending church twice despite being ill. Testing positive on Feb 18, the so-called "crazy ajumma (auntie in Korean)" was the first of thousands of members of the secretive Shincheonji Church of Jesus who were infected in the country's largest community outbreak of the coronavirus disease.

Politician Lee Jun-seok warned that revealing too much about a patient's travel history could lead to stigmatisation, thus deterring people from seeking help, he told The Korea Herald newspaper.

But the South Korean government swears by what it calls a "dynamic response system for open democratic societies".

Vice-Health Minister Kim Gang-lip on Monday (March 9) underscored the importance of disclosing information and detailed explanations to help citizens stay safe.

"The more transparently and quickly accurate information is provided, the more the people will trust the government. They will also act rationally for the good of the community at large," he said at a foreign media briefing.

Identity leaks, however, come at a heavy price.

Four civil servants working at the Seongbuk District Office in central Seoul were arrested on Monday for violating privacy laws after they leaked a confirmed patient's information in a phone group chat unrelated to work. Details included the patient's personal information and people whom the patient met over the Chinese New Year holiday.

The police said they will conduct a thorough investigation into "document leaks that can cause social chaos".

OVERZEALOUS VIGILANTES

Outside South Korea, some other countries are also struggling with overzealous journalists and online vigilantes bent on uncovering the identities of patients under the guise of public service.

Indonesia's first two coronavirus patients, a 31-year-old woman and her 64-year-old mother, were isolated in hospital when an army of reporters swarmed their home in West Java last week after their test results were announced by President Joko Widodo.

 
 
 
 

Within hours, their photographs and personal details, from their initials to their home address, were shared on WhatsApp groups and social media. The viral message detailed their symptoms, where and how they might have contracted the virus, and when they were admitted to hospital.

The younger woman also had to refute reports which said she caught the virus while dancing in a Jakarta club on Feb 14 with a close Japanese friend, who later tested positive in Malaysia. She clarified in a WhatsApp message that she did not have a Japanese friend, and the dance event was held in a restaurant on Feb 15.

"You have no idea how stressed I am right now... Please respect my privacy and help me get through this instead of putting more stress in my head," she said, adding that the leaks have left her and her mother "mentally drained".

Indonesia has no specific laws on privacy or data protection. But President Joko has since called on the public to respect the privacy of the patients and ordered his ministers and the hospitals treating the patients to stop disclosing their private information.

The Alliance of Independent Journalists group has also urged members to be more considerate in their reportage and refrain from sensationalising the cases.

Vietnam's 17th patient, a 26-year-old woman from a wealthy family, was abused online after it was revealed that she travelled through Britain, France and Italy before returning to Hanoi on March 2. She was admitted to hospital only three days later.

Several local media outlets published her full name. A document with her home address and workplace was also leaked online. People abused her on social media and spread rumours about her purported movements.

The authorities had until then been cautious about  giving too much details about new patients. Vietnam's state-owned media also refrained from using patients' full names, although it has run pictures of those who have recovered from the disease.

In the Philippines, health officials disclose only the age, gender, nationality and travel history of new patients.

But social media has been muddying the waters with misinformation and hearsay, forcing some hospitals and companies to clear the air. Accounting firm Deloitte, for one, had to issue a statement to clarify that only one of its staff - a lawyer - tested positive for the virus, not 11 as rumoured on Facebook.

TRANSPARENCY V PRIVACY

Given the prevalence of social media today, it seems inevitable that the coronavirus outbreak will challenge the principles of privacy, freedom and human rights, as Bloomberg noted in a March 2 commentary.

 
 
 
 

"We will have to walk a fine line between letting transparency and reason prevail, and taking sensible precautions to save lives," it added.

Even in Europe, where human rights are highly valued and the General Data Protection Regulation (GDPR) keeps personal information private, exceptions are being made in times of crisis.

Italy, the country outside China which is the worst hit, with more than 12,000 cases and over 800 deaths, adopted the Civil Protection Ordinance No. 630 on Feb 3 to give the authorities "extensive powers" to process personal data related to the outbreak, according to global law firm Morgan Lewis.

This includes potentially sensitive information such as racial or ethnic origin, political opinions, religious beliefs, health and genetic data and criminal records.

Germany's Federal Data Protection Act allows for a special category of personal data processing "for reasons of public interest in the field of public health, such as protection against serious cross-border health risks".

State agency Robert Koch Institute is now discussing with tech companies how to best use digital data for contact tracing instead of relying on traditional methods such as asking travellers to fill out exit cards. But this new approach will work only if users voluntarily hand over their data.

Collecting personal information is a tall order in Germany as people are generally wary of sharing data, but reservations may diminish as the number of infections rises. Germany now has over 1,200 cases.

Data collection could also prove challenging in the United States, which now has more than 1,000 infections across at least 36 states.

The Centres for Disease Control and Prevention (CDC) used to be the only one authorised to test for the virus and provide centralised data, mostly centred on the number of confirmed cases.

But as restrictions are loosened, testing is also being done at the state level, and local health departments have started releasing their own data, often giving the county, city or the confirmed patient is from. The details are not enough to patients' identities.

As a result, there is no complete picture of how many people have been tested in the US, obscuring the extent of the disease's spread and its fatality rate.

INTRUSIVE DATA COLLECTION

At the other end of the spectrum is Singapore's tightly-controlled data collection and contact tracing for a small population of 5.6 million. The Republic has reported 187 cases so far, more than half of whom have recovered.

 
 
 
 

Disease investigators work tirelessly with the police to map out a patient's travel history, using all kinds of resources, from surveillance footage to mobile phone data and ATM records. Information such as the patients' age, gender, nationality, the street where they live, and the places they visited, are then released by the Health Ministry in a bid to curb the spread and keep the public safe.

The same level of intrusive data collection is also seen in China, where there are more than 80,000 cases of the coronavirus and over 3,000 deaths from it.

QR codes must  be scanned before people can enter residential compounds, mobile phone apps record your daily temperature, while other apps show if there are cases nearby or if patients have been in close proximity.

Employees are also positioned at mall and subway entrances to ensure that shoppers and commuters register their personal details before entering, and cellphone users can ask for a list of their locations from telcos to help with contact tracing.

The authorities have said that these measures are in place because of the extraordinary situation. Still, some have expressed concern that the epidemic is an excuse to accelerate the collection of citizens' data in a country with lax data protection laws.

Over in Japan, the demand for coronavirus-related legislation has grown amid public unease over how adequate the government's  actions have been to stem the outbreak.

Japan's lack of a "command centre" akin to America's CDC has been fingered as one of its shortfalls and the Health Ministry has drawn flak for the alleged mishandling of the Diamond Princess cruise ship, which had nearly 700 infections on board as it docked off Yokohama.

Economy Minister Yasutoshi Nishimura has been appointed to take charge of laws related to the outbreak, and one of his key tasks is to strengthen public relations as the domestic infection tally crossed 600 cases, with 15 deaths.

The Hong Kong government, on the other hand, is trying to strengthen measures against a growing trend of cyber bullying and doxxing, where personal information is circulated for purposes of harassment. For instance, the online release of personal data of some medical staff and locations of almost 6,000 buildings set aside for home quarantine for returning Chinese residents triggered debate.

To tackle doxxing, the government has proposed measures such as the setting up of an independent criminal investigation team, and new rules to compel social media platforms to remove doxxed content.

KEEPING PATIENT INFO PRIVATE

Not all countries are on the same path though. At least India, Malaysia and Thailand appear to be holding up well and keeping patient information private.

Thai authorities are even reluctant to give non-identifiable basic details unless pressed by the media, while Malaysia keeps small cluster outbreak locations vague, only mentioning the states and cities.

No identities were leaked in India either, as the government revealed only where patients are from and their travel history.

Australia also keeps personal data of patients to a minimum, offering only the person's state of residence, where they had travelled to and if they had contact with a virus-hit country.

More details, such as age, gender and place of work or study, may surface during press conferences, but it has not led to privacy concerns and appears to have been viewed as necessary public health precautions.

Contrary to its reputation for being reserved, South Korea learnt the hard way during the Middle East respiratory syndrome outbreak in 2015 that withholding information, such as the patients' travel history, could incur public wrath. Laws were later amended to allow public sharing of such data.

But now, too much patient information is being shared and too quickly, law professor Lee Jae-min of Seoul National University told The Straits Times.

"Right now the government is simply trying to do as much as they can to find the sources of infection and the persons involved, so as to segregate them," he said. "That policy purpose is now suppressing any other legitimate concerns that would otherwise have been raised, such as privacy issues."

Additional reporting by Arlina Arshad, Charissa Yong, Claire Huang, Hathai Techakitteranun, Jonathan Pearlman, Markus Ziener, Nadirah H. Rodzi, Nirmala Ganapathy, Raul Dancel, Tan Hui Yee and Walter Sim