DATA PROTECTION

How state surveillance rose with the pandemic

In Summary
  • Report found that the surveillance environment increased in both Kenya and Uganda
  • This was against a backdrop of “weak accountability and transparency and the non-proactive disclosure of information about both governments’ responses to the pandemic”
President Uhuru Kenyatta signing the Data Protection Bill into law.
President Uhuru Kenyatta signing the Data Protection Bill into law.
Image: PSCU

The Covid-19 pandemic, now in its second year, has made it essential for Kenyans to be concerned about how their personal and health information has been collected, shared and how it continues to be used.

From the onset, the government introduced various measures to stem the spread of the pandemic. One of these included data collection to help trace people suspected to have contracted the virus and their contacts so that people exposed to the virus had limited interactions with other members of the public.

Since last year, harrowing stories have been told of how those deemed to have interacted with those affected have received calls from unknown people or health officials, sometimes at ungodly hours, and informed that they needed to be tested or taken to quarantine centres. These calls scared those who received them, and many are still traumatised by the entire experience.

Picture this: One Saturday afternoon last year, Kimani got a call from an officer from the Ministry of Health as he relaxed with his wife. The official summoned him to go to the health center as apparently, ‘he had interacted’ with an infected person and needed to be quarantined. He was also asked to go with all the occupants of his house. For Kimani, the only other occupant was his wife.

But there was a problem. The officials indicated that they were looking for Paul Kimani Mbugua, but Kimani’s full name is William Kimani Mbau. Despite his explanation that they must have confused him with someone else, the official was unconvinced and became harsh and hostile. The official threatened Kimani with dire consequences if he did not show up at the health center in another 30 minutes.

Kimani and his wife honoured the summons to the centre, where he was then ferried to KMTC quarantine centre in an ambulance, while his wife was put in a separate ambulance, to a different centre. It is only at the time of admission that the nurse at KMTC noted the inconsistency in the names and declined to admit him. He escaped the mandatory 14-day quarantine.

MISTAKEN IDENTITY

There was more drama. Kimani lives in a communal place where there is a shared water point, toilets and even shops. He feared that some neighbours may have got wind of the summons which meant that his family would be isolated and discriminated against based on suspicions of being Covid-19 patients. They walked home lest anyone sees them alighting from the ambulance. The fear of stigma was real.

Kimani’s is but one example. There are stories of those who found themselves in quarantine because they did not have money to bribe their freedom on the basis that they had breached curfew rules. People’s freedoms such as privacy were breached mainly by those who were meant to protect citizens.

In addition, there was violation of the data protection principles and national data protection laws. This resulted in state actors and personal entities amassing, handling and distributing sensitive personal health data. The process failed in the design, development and deployment of technologies, products and services to tackle the Covid-19 pandemic.

Due to stigmatisation, many Kenyans would give fake phone numbers when testing or hand over to government officials their contacts without seeking their consent. Kimani still wonders to date, how the health officials got his number.

MORE SURVEILLANCE, LESS TRANSPARENCY

Kimani’s case is a demonstration of a gap in the government’s data collection efforts. Despite a progressive Data Protection Act adopted in 2019, there was a lack of respect for privacy and the security of personal data, which also led to stigmatisation and isolation of survivors especially their residential and workplaces.

A report Unseen Eyes, Unheard Stories released recently, highlights surveillance, data protection, and freedom of expression concerns in Kenya and Uganda during Covid-19 pandemic.

Apart from highlighting the human rights implications resulting from what the government and private sector Covid-19 surveillance measures in Kenya and Uganda portended, the report also reviews the national legal frameworks and practices that have enabled an extraordinary surveillance environment during the first year of the coronavirus pandemic in the two countries.

The report found that the surveillance environment increased in both Kenya and Uganda. This was against a backdrop of “weak accountability and transparency and the non-proactive disclosure of information about both governments’ responses to the pandemic.”

The monitoring measures and practices adopted to contain the pandemic Covid-19, including applications of coronavirus (apps) did not comply with the threefold international law tests and national laws that safeguard privacy, data protection, freedom of speech and access to information.

In addition, there was violation of the data protection principles and national data protection laws. This resulted in state actors and personal entities amassing, handling and distributing sensitive personal health data. The process failed in the design, development and deployment of technologies, products and services to tackle the Covid-19 pandemic.

This comprised purpose restriction and data reduction, retention and prior and informed consent. Moreover,  state agencies and private actors continue to cooperate in the deployment of digital technologies as a way of addressing the pandemic, but the partnerships still do not have transparency.

Although press reports detailing collaborations in digital contact pursuits, some areas are still unclear such as public accessible information on public-private contracts or data-sharing agreements, the architecture of technologies, budget allotments or procurement procedures for pandemic monitoring technologies, or pandemic surveillance technology procurement processes.

The report is a useful guide in the promotion of privacy, data protection, freedom of expression and access to information for government policymakers and agencies, the private sector, activists, journalists, and human-related organisations.

Grace Githaiga is the convener of the Kenya ICT Action Network and Victor Kapiyo is a researcher