Data Sharing in a Post-Pandemic World: How to Safely Wind Down Surveillance Measures

Written by Hayden Dahmm

*This article originally appeared in IISD's SDG Knowledge Hub.

Photo Credit: Clay Banks / Unsplash

Photo Credit: Clay Banks / Unsplash

Despite the recent news of successful COVID-19 vaccine trials, the end of the pandemic still seems a long way off. The data community, however, should be thinking ahead to the end of this crisis, when unique data demands will no longer apply.

To track and mitigate the spread of COVID-19, governments worldwide have had to undertake extraordinary measures, relying heavily on data surveillance systems and analytics. And while the World Health Organization (WHO) has recognized data sharing as a crucial element for a coordinated COVID-19 response, some of these activities are raising questions. For instance, a six-nation survey found that people are generally reluctant to share personal COVID-19 health data with the government or publicly available apps. Indeed, track-and-trace tools in Norway, the UK, Qatar, and India have been shelved or revised amid security and privacy concerns. In the US, contact tracing apps have struggled with low adoption rates. There are also growing concerns about what will happen to these surveillance measures after the pandemic is over, and groups like Privacy International contend that such measures must be immediately terminated post-pandemic.

Moreover, COVID-19 has sparked debates around intellectual property rights, limitations on data re-use, and how long data should be retained. These critical issues are explored in a new brief from SDSN TReNDS and DataReady, titled ‘COVID-19 Data and Data Sharing Agreements: The Potential of Sunset Clauses and Sunset Provisions.’ The brief examines data legislation and data sharing agreements (DSAs) in the context of COVID-19, discussing steps that can be taken to ensure that these data interventions are safely and responsibly wound down at the end of the pandemic.

A “sunset clause” is a legal term describing how a piece of emergency legislation should come to an end. In effect, it places a time limit on the legislation, requiring the government to enact new legislation if it wants to continue with certain actions. Sunset clauses have been important for dealing with exceptional circumstances, such as terrorism or disinformation, and a number of countries have now incorporated them into COVID-19 emergency legislation, including the UKSingaporeCanada, and Israel.

Sunset clauses can also be valuable when creating legislation around contact tracing programs. The European Data Protection Board has advised that personal data collected for contact tracing should only be held for the length of the COVID-19 crisis, after which it should either be erased or anonymized. Several governments have already reflected this principle in laws and regulations with the use of sunset clauses. For example, the French government’s contact tracing app includes automatic data deletion, and the government plans to phase out the app post-COVID-19. Australia, meanwhile, has passed legislation stipulating that data collected through its COVID-19 app cannot be stored on a communications device for more than 21 days, and the data must be deleted once it is no longer required in the pandemic response. These conditions serve to limit the future use of sensitive data by governments, and they can help ensure that these interventions are held accountable.

Alternatively to sunset clauses, a DSA lays out the terms for exchanging data between a specific set of stakeholders, and it is important for establishing trust and responsibility between parties. For instance, a DSA in Ghana has allowed the national statistics office (NSO) to access anonymized, aggregated mobile data from a network operator with the help of a third-party organization to assess the impact of COVID-19 lockdown measures in the country.

However, the question of data “ownership” in a DSA can be a highly complicated and uncertain one, and privacy advocates are calling for additional protections to be put in place for sharing COVID-19 data. If national legislation does not require data to be deleted or anonymized, then individual DSAs can specify their own conditions with a “sunset provision,” which describes how data sharing practices should be drawn to a close. Although voluntary for the parties to a DSA, an effective sunset provision should address intellectual property rights, mandatory deletion rules, obligations to retain certain data, anonymization requirements, and any future use of the data that might be permitted.

Yet given the acute time pressures, along with the limited data protections found in many countries, some COVID-19 data partnerships have held off on creating formal agreements. Instead, relationships between parties are often simply based on trust, though they might document their commitments in an informal memorandum of understanding (MOU). From our discussions with leading data actors, we understand that these MOUs generally do not address how data sharing will be wound down after the pandemic.

Although they are informal, MOUs could introduce sunset provisions similar to those found in formal agreements. Sunset clauses and provisions can be important tools for ensuring that we maintain the right balance between safeguarding data rights and individuals’ privacy and governments’ needs to tackle COVID-19. By including appropriate language in national legislation and individual agreements now, we can make sure that the necessary data are available to inform pandemic responses, while also minimizing the risk of misuse.

Fortunately, sunset clauses and sunset provisions are already effectively being used around the world. More lawmakers and data stakeholders will need to think through the legal complexities and technical needs to bring about appropriate data governance procedures going forward.