Metaphors about going to war have been used widely in discussions about COVID-19. China’s President Xi Jinping vowed to wage a “people’s war.” “COVID-19 war zone” posters with a bomb-shaped red germ were displayed in South Korea.
Expressions like “enemy”, “frontline,” and “battle plan” framed discussions on the need to “combat” COVID-19 in many places, including Thailand. Sacrifices of civil and political rights are justified during this “wartime.”
Over the last year, this has resulted in the suspension of the separation of powers, principles like due process, and checks and balances, for maximization of efficiency and effectiveness. We should do “whatever it takes, fast,” or die.
This wartime mentality has also shaped the way authorities handle information. The flow of information is very asymmetric. It tends to be more difficult for the citizens to get information from the government, and the citizens tend to have less protection when the government wants to collect their data.
Overcollection and oversharing of data
Around this time last year, there was a debate over suitable approaches for apps intended to facilitate COVID-19 containment efforts. Should it be mandatory or voluntary, who can see what data, should the database be centralized or decentralized, is GPS location accurate enough, what about the Personal Data Protection Act that was soon to be enforced (at the time)? And so on. There were names like “Sydekick for ThaiFightCOVID”, “PedKeeper”, “AOT Airports”, “COSTE”, and many others from Chana-family and Prompt-family.
Dozens of apps and chatbots for immigration control, symptom screening, contact tracing, and quarantine enforcement were released since, both publicly to general audiences and internally to staff at healthcare and quarantine facilities. Some of them were run by for-profit companies with endorsement from government agencies like the Digital Government Development Agency and Department of Disease Control. Many of them were announced without clear data governance in place.
Today, many of those apps are no longer in operation and it is unclear where the personal data that was collected ended up.
While digital technology that enables the faster, bigger, and more sophisticated collection of data may make citizens worry about their privacy, the technology itself is not the only source of concern. In some cases, it’s not about overcollection, but oversharing of data. For example, provincial and local governments post infected individual detailed timelines on their social media outlets. These timelines can include date, time, place, activities, age, gender, nationality, and profession of each individual. With privacy protection in mind, agencies exclude individual names from the timeline. Unfortunately, with that amount of information, it may still be possible to reidentify the person by name, especially for people close to the individuals.
It is understandable that authorities want to share this data with the public so anyone who found they may have been in contact with the infected person can report themselves to the public health authority and start any necessary processes. But to meet the same goal, a smaller amount of data can be published. It may be sufficient to just announce the specific place and time, without publicizing “anonymized” personal timelines. Nationality, age, gender, and profession for example, seem not necessary to announce publicly for contact tracing purposes. If there is anything statistically significant about a category of people, the information should be carefully communicated statistically and not at the individual level.
Difficult to get useful information and critical service
In the first few months of the pandemic, the public wanted information about the disease itself, places to be monitored because of the infection, travel restrictions, and other preventive measures. Information was scarce and outdated very quickly. This included contradictory information and confusing steps on how to get a travel certificate. The regulation can also say one thing when you depart for Thailand and another when you actually arrive. Lack of clarity and sudden change of regulations with no grace period affect the ability of an individual to plan their own life. This chaotic situation may be understandable early on, as everything is new, and the measures keep changing.
Today, when you search for “COVID situation” or “CCSA” (Center for COVID-19 Situation Administration), there will be a number of websites to choose from. For government websites alone, they include covid19.ddc.moph.go.th and ddc.moph.go.th from the Department of Disease Control, www.thaigov.go.th from the Office of the Prime Minister, www.nsc.go.th from the National Security Council, and moicovid.com from the Ministry of Interior.
These websites come with different levels of web accessibility, and sometimes with “different information” for the same matter – not really contradicting because they all lead to the same fact – but being presented differently in a way that may create confusion. There’s no single website that is commonly known to the public as the single official source for COVID-19 information. The standard mode is waiting for the daily announcement on the television, where general updates will be delivered. For online outlets, detailed daily situation updates are more likely to be found on the “COVID-19 Information Center” Facebook page run by CCSA, where data are presented in difficult-to-search infographic posts.
Different kinds of difficulty recently emerged for obtaining information on how to get a bed in a quarantine facility for people who become COVID-19 positive, and also how the national health insurance and social security programs will cover the cost. There are resources, as the government confirms, and channels to inquire for the resources, like 1330, 1668, 1669 hotlines, and @sabaideebot chatbot. Still, we have people who cannot get a bed, further spreading the disease, and unfortunately in a few cases die in their own house.
There is also criticism about the way government agencies present COVID-19 related data. For instance, only the number of infected cases is presented, but without the number of total tests, or only the number of people who get vaccinated but not the proportion of the target population or the total population. Even for the data that is available, it is still difficult for the public to get these public data from the government in a form that is ready to use. The lack of information or the difficulty of access create confusion and distrust in the government measures. This, in effect, will result in more difficulty in implementing further plans like vaccination rollout.
However, this accessibility issue is not specific to the pandemic, although COVID-19 has made it more visible. We have nothing comparable to the one-stop and citizen-centric GOV.UK. The general issue of user experience and registration burden for basic public services have long been around as well. There are senior citizens who carry an ID card without a date or month of birth or an “Laser ID” at the back of their card, but Mor Prompt vaccine registration app designer might not notice.
Things can be better
COVID-19 has been with us for more than one year. We know a lot more about the disease and the virus. Best practices on investigation, tracing, isolation, and quarantine are globally shared. Supplies for personal protection equipment are no longer in shortage. And vaccines are being produced and delivered. Yes, we are not fully recovered, but this is not wartime. We should transition back to the normal regime and use a law like the Communicable Disease Act (CDA), which is designed specifically and sufficient for pandemics, as a main legal instrument. Apart from blanket power and the lack of checks and balances, the complex web of ad hoc regulations from the Emergency Decree makes them difficult to comprehend. If it is really necessary, some provisions from those regulations could be codified and amended to the CDA. This would streamline regulatory control. Note that the Cabinet has approved a version of CDA amendment draft since 22 December last year but there’s no further development.
On data privacy and security, streamlining and reducing the number of apps could also mean reducing surfaces for attacks and breaches. There should be in compliance with and close observation of relevant international and local laws or regulatory frameworks on data protection and privacy. This is so that data practices will be lawful, limited in scope and time, necessary and proportionate, and specified and legitimate in response to the pandemic.
The actual protection provisions in the Personal Data Protection Act should come into force this year, together with all mandatory secondary legislations, as promised by the Ministry of Digital Economy and Society. There can be a few transitional adjustments if the government finds that not all sectors are fully ready in 2021. For example, the enforcement for this year could be limited to only public entities, entities in critical sectors (like healthcare, banking, and insurance) and relatively large firms with, say, more than 100 million baht average annual revenue. With their resources, these organizations should be in a position to comply, given the fact that the law was announced since 2019. Alternatively, there could be adjustments in the penalty provisions. Criminal punishment could be postponed, fines could be halved, and time limits for breach notification and data request response could be doubled in the first year of enforcement, to give some breathing room.
In essence, the core data protection provisions should come into place immediately at some level. Data-driven activities such as healthcare services, work from home, online study, food delivery, and e-commerce, are increasing heavily, as well as breaches, and we cannot take it lightly. A gradual progress to the full enforcement of all provisions in the data protection law will facilitate trust in this new mode of life. The easiest part of all these processes is for the Prime Minister Prayuth to officially announce in the Government Gazette the appointment of the Chairperson and Expert Members of the Personal Data Protection Committee, as the ten names were approved already by the Cabinet on 19 May 2020. We may not yet have enough data vaccines, as the government keeps postponing it, but at least the government can put data facemasks on for our personal data. A responsible Digital Minister will not leave citizens unprotected.
We need public trust for a successful public health measure. Trust cannot be forced, it is earned, for example, through Rule of Law. Comments and criticism must be taken positively and constructively as an observation from the field. It make not be entirely accurate, but it’s also not “fake news” to be entirely dismissed. The government must guarantee transparency and facilitate an informed decision by all stakeholders. And, yes, everybody is a stakeholder in this pandemic. We’re all in this together.
Arthit Suriyawongkul is a research fellow at LIRNEasia.