Appropriate steps are taken to protect data that could, either alone or when combined with other data, result in the identification of individuals or vulnerable groups within datasets used to tackle COVID-19
After an extensive desktop search of online information, no information could be found to demonstrate what any such appropriate steps are required or have been taken.
Data collected for epidemiological purposes shall not be shared or used by other parts of government, such as police forces or Ministries of Interior
After an extensive desktop search of online information, no information could be found to suggest that there are restrictions on the sharing of data that was collected for epidemiological purposes with other parts of government.
Protocols shall be established to respond to potential data breaches of datasets containing sensitive data
“The Data Protection Act 2017 defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the event of any such breach, the controller is required to, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Commissioner. Such notification must describe the nature of the personal data breach, communicate various contact details and recommend measures to address the personal data breach, including, where appropriate, measures to mitigate the possible adverse effects of the breach. Where a processor becomes aware of a personal data breach, they are also required to notify the controller without any undue delay.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller must, after the notification to the Data Commissioner, communicate the personal data breach to the data subject without undue delay.”
Individuals or vulnerable groups who may be harmed by the misuse of their data in response to the COVID-19 pandemic – either intentionally or accidentally – shall have access to judicial redress and due process
Although such individuals and groups would formally have access to judicial redress to persue a civil claim, they may in fact experience difficulty in obtaining legal advice and representation.
Governments and public bodies shall retain all intellectual property rights over databases and all derivative data outputs produced using African citizens’ data as part of the COVID-19 response
After an extensive desktop search of online information, no information could be found to demonstrate that governments and public bodies have registered or asserted any such intellectual property rights.
Governments, private companies and other entities shall commit to engaging with civil society organisations and digital rights defenders in order to identify responsible and practicable ways of winding-down any emergency data collection, processing and use at the end of the pandemic, in accordance with local laws and in line with international best practices
After an extensive desktop search of online information, no information could be found to suggest that any such engagement has taken place.