Citizens’ data on Covid was illegally mined, says new report

State and private companies illegally harvested and shared Kenyans’ private data during the Covid-19 pandemic in direct breach of the Data Protection Act, 2020.

This is according to a new report that details how the pandemic fuelled infringements to citizens’ privacy, freedom of expression and access to information in Kenya and Uganda over the past year. 

The report says authorities including the National Intelligence Service and the Ministry of Health used illegal surveillance methods to track, trace and in some cases forcefully quarantine in State facilities those suspected of contracting Covid-19. 

“In Kenya, telecommunication data was used to track, in real-time, the mobile phones of people suspected to have Covid-19 as a way of enforcing a 14-day mandatory quarantine on individuals entering Kenya from points-of-entry...who committed to self-quarantine,” it says. 

“Additional reports indicate that the National Intelligence Service used phone data to trace patients’ movements and these individuals were not supposed to switch off their gadgets at the risk of being forcefully quarantined at a state facility.”

The testing and tracking of long-distance truck drivers at the Kenya-Uganda border during the height of the pandemic done by non-State actors also raised queries on how the data would be processed, shared, stored and by whom.

Other instances included programmes by NGOs and tech firms that enrolled users into training and health sensitisation programmes that collected personal data on the impact of Covid-19 in communities, ostensibly to create awareness on the pandemic.

The report was authored by digital rights lobbies Article 19, Policy and the Kenya ICT Action Network with a special focus on Kenya and Uganda following their recent enactment of data protection legislation. 

Personal data

In both countries, however, data protection and privacy rights provided for in the respective legislations appear to have been thrown out the window during the pandemic, with majority of affected citizens unaware that they were being monitored and their personal data harvested.

This was compounded by the fact that in both countries, data protection regulators were yet to be fully constituted during the first months of the pandemic, limiting their efficacy in enforcing regulations.

In Kenya, the Data Commissioner’s Office issued a guidance note limiting the extent of collection of health and geo-location data of individuals, but this was done in January 2021, ten months after the onset of the pandemic, and contained significant gaps. 

“The note falls short of the standards set out in the UN’s recommendation on the protection and use of health-related data, which provide a common international baseline for minimum standards for protection for health data,” the report says.

“This guidance note also fails to mandate the disclosure of data sharing agreements that would greatly promote transparency and accountability and contribute to Kenya’s Open Data commitments.”

It indicates that State data protection laws and authorities remain one step behind private sector players that actively collect, store and process highly private health data on Kenyans. 

It says data regulators are powerless at policing their own government agencies such as the ministries of Health and ICT even as they are found to breach basic tenets against privacy violations. 

“The public health laws in Kenya and Uganda fail to justify how this data collection is necessary and proportionate to achieve the protection of public health.”

“These laws fail to clarify where the collected personal data is stored and for how long, and how this data will be used and by whom.”