Covid-19 and Data Sharing
C4DC Response to COVID-19: Data Sharing Agreements for Public Health
The COVID-19 pandemic has resulted in new demands for data, and many countries are engaging in emergency data sharing arrangements to understand different dimensions of the health crisis. In particular, there is growing interest in the use of mobile network operator (MNO) data for tracking population movement. As described by Digital Impact Alliance, MNO data can be used to understand mobility patterns, predict new COVID-19 hotspots, model social distancing targets, and monitor health services. The inherent sensitivity of MNO data, however, raises privacy concerns, among other questions. GSMA - an international body representing the interests of more than 750 MNOs - has published COVID-19 privacy guidelines that address how its members can maintain trust while meeting requests from governments. The group Privacy International is also recording the ways that countries around the world are employing MNO data during the pandemic, and it has reported on situations where some of this data use might be illegal, such as the way Pakistan apparently accessed patients' registered mobile numbers without consent. Even under emergency conditions, MNO data sharing will have to be managed thoughtfully to realize the potential benefits without creating avoidable harm.
Example Data Sharing Agreements
In response to COVID-19 and as part of its Contracts for Data Collaboration initiative (C4DC), SDSN TReNDS has gathered and analyzed example data sharing agreements (DSAs) that have been used to share MNO data for health applications to help guide other data actors considering similar arrangements.
It should be noted that there are a number of ways that MNO data sharing can be organized, and this is only an initial sample of agreements. Additionally, these agreements were all created before the COVID-19 crisis, and we do not present them as set standards.
MNO Data Sharing in Ghana
A data collaboration in 2018 between the Ghana Statistical Service (GSS), Vodafone Ghana, and Flowminder, enabled the GSS to access insights from mobile phone data to plan public health and sustainable development policies. As part of the collaboration, Vodafone Ghana provided access to pseudonymized telecommunications data free of charge, and Flowminder aggregated and analyzed the data on behalf of GSS. Among other issues, the agreement addresses how data will be aggregated, the parameters for the exchange of the data between the parties, data use limitations, data deletion, and the publication of analysis results. The MNO data is now being used during the COVID-19 pandemic to document the impact of restriction measures in Ghana. Read the case study here and access the agreement below.
MNO Data Sharing in Indonesia
A 2018 memorandum of understanding formed between Statistics Indonesia and an MNO. It covers the use of mobile positioning data for various official statistics.
Template Data Processing Agreement
A template for a Data Processing Agreement (DPA), a type of contract required by the EU’s General Data Protection Regulation (GDPR) that outlines the intention and responsibilities of a Data Processor to perform processing at the request of a Data Controller. The template was provided by an anonymous organization. As an example, it describes arrangements for Flowminder receiving MNO data, although this does not necessarily reflect any legal arrangements actually made by Flowminder.
Redacted Data Sharing Agreement
A 2018 DSA used for sharing MNO data with a country in Sub-Saharan Africa through an intermediary for use in the health system. Under this agreement, the MNO is providing the intermediary with access to de-identified data.
Redacted Data Analytics Sharing Agreement
A 2019 DSA used for sharing mobile network data with a country in Sub-Saharan Africa through an intermediary for improving immunization program reach and tracking disease outbreaks. Under this agreement, the MNO is first anonymizing, aggregating, and analyzing data before providing results to the intermediary.
General Insights and Reflections
The above agreements capture some of the arrangements by which MNO data can be shared and incorporated into health systems. Reviewing this initial collection offers up a few reflections:
No Universal Approach
While the data sharing program in Ghana required a detailed, formal contract that took over a year to negotiate, Indonesia’s Statistical Office was able to make do with a comparatively simple memorandum of understanding (MOU). Although this MOU does not provide details about how the sensitive data is to be handled, our contacts have explained that plans were made to analyze the data using a sandbox system at the MNO’s office, designed to protect data security and the privacy of the network users. Including safeguards in an agreement can provide added confidence and accountability, but the agreement does not necessarily reflect the full extent of measures being taken, and more flexible approaches might be an option depending on a country’s legal context and the interests of the parties.
Different Levels of Data Access
The agreements capture some of the different approaches officials can use to access MNO data. In Indonesia, the NSO worked directly with the MNO. In Ghana, the NSO worked with an intermediary that aggregated and analyzed data on the MNO’s servers and then shared insights. In contrast, the MNO in the “Redacted Data Analytics Sharing Agreement” performed aggregation and analysis itself before passing any data along to the intermediary. These approaches have implications for other terms of the agreements. For example, the agreement from Ghana stipulates that the intermediary cannot share the non-aggregated MNO data with third parties, whereas the redacted agreement allows the intermediary to share data publicly, because it is not given access to any confidential data in the first place.
Limiting Data Use
The four detailed agreements all go to lengths to emphasize that the MNO data can only be used for purposes consistent with the agreement.
Privacy and Security
All of the agreements also describe general approaches for anonymizing MNO data. If confidential data is to be exchanged, they explain the security procedures that are to be followed. The agreement from Ghana and the “Data Processing Agreement Template” give particular attention to data security and the measures needed to achieve GDPR compliance.
Intellectual Property
The three agreements that address IP issues make clear that each of the parties maintain their ownership rights of the data and only the data is being shared.