Since the discovery of several employees infected with the coronavirus at Brandix Apparel Limited, a list of personal data circulated through social media sites which can trace patients by their names, national identity card numbers, telephone numbers, and addresses. Although many questioned as to how and why these private details of patients were shared across numerous online platforms, it soon became evident that Sri Lanka does not have the necessary legal means to safeguard the digital privacy of its citizens.
The global spread of COVID-19 has generated numerous privacy, data protection, and security issues. These challenges are driving the need for individuals to protect their private data and the need for companies and
organisations to ensure a way of securing their digital platforms and other means of data collection in a more efficient manner.
Currently, in Sri Lanka, with the spread of COVID-19, the authorities, different institutions, and many platforms are collecting data as the need to identify people who are infected with the virus grows. But there is a question before us as many third parties can access these private data easily.
In the current context, Sri Lanka does not have any specific laws on data protection. The Data Protection Drafting Committee appointed by the previous ‘Yahapalana’ Government through the Ministry of Digital Infrastructure and Information Technology (MDIIT) had released the final draft of the Bill on Data Protection on September 24, 2019. However, later it was informed the legislation will be implemented in stages and the Bill will come into operation within a period of three years from a date which was to be approved by the Parliament.
There are several data protection-enabled legislations which are industry specific, such as the Banking Act, No. 30 of 1988, the Telecommunications Act, No. 25 of 1991, the Intellectual Property Act, No. 36 of 2003, the Computer Crimes Act, No. 24 of 2007, and the Registration of Persons (Amendment) Act, No. 8 of 2016. This legislation does not, however, provide a definition for the term ‘data,’ nor specific provisions for implementation.
Firstly, the purpose of personal data protection is not only to just protect person’s data, but to protect the fundamental rights and freedoms of persons that are related to that data. Whilst protecting personal data it is possible to ensure those persons’ rights and freedoms aren’t being violated. For example, incorrect processing of personal data might bring about a situation where a person is overlooked for a job opportunity or, even worse, loses his or her current job.
Secondly, not complying with the personal data protection regulations can lead to even harsher situations, where it is possible to extract all the money from a person’s bank account or even cause a life-threatening situation by manipulating health information.
Thirdly, data protection regulations are necessary for ensuring fair and consumer friendly commerce and provision of services. Personal data protection regulations cause a situation, where, for example, personal data can’t be sold freely which means that people have a greater control over who makes them offers and what kind of offers they make.
Daily Mirror Insight spoke to Attorney-at-law Mr. Indika Perera, a specialist on peace and conflict studies, a visiting lecturer of Department of Philosophy at Kelaniya University, and a member of the Ethical Review Committee of the Faculty of Medicine.
Data Privacy Legislation in Sri Lanka: the current context
Explaining the current situation, Mr. Perera said that former Minister Ajith. P. Perera, the line minister during the former government’s period had presented the Bill on data protection to then Parliament. However, the present government wanted to expand the mandate of the Bill. He said that the previous government only focused more on data protection legislation but the present regime is reportedly planning to add certain laws to prevent social media violations.
“Before the spread of COVID-19 in March, the present government had planned to add laws to prevent social media violations, such as cyber bullying, social media related deformations and there were lot of criminal activities, which is happening through Facebook and other social media platforms. They wanted to add these elements also and to expand the Bill,” he said.
Personally identifiable information (PII) means any data that could be potentially used to identify a particular person through full name, identity card number, bank account number, passport number, and email address. “Normally most of European, North American, and many other countries are quite different when it comes to handling of personal data; I would call it more civilized. In those places, personal liberties and personal identity is quite important. And in these countries even government cannot access personal data without proper consent from a particular person,” he said.
He said that governments have to specify the reason of the collection of personal data, adding that data collected could not be used for any other purposes, beyond the actual purpose. Mr. Perera said that in other countries, there were laws and regulations which a person could seek the protection of when a violation private data occurs.
He also added that the lack of international compatibility in privacy regulation creates many problems and when preparing laws the governments have to think about international trade and investments. Mr. Perera added that while having a separate data protection Bill, the Constitution should also have a section where your personal data as well as your privacy should be respected and protected.
Potential Concerns with the COVID-19 situation
In the current situation a great amount of personal data includes your identity, gender or your preferences, health condition, financial situation, data which are being collected by many institutions and authorities in the country.
“These are very important and critical, especially in the current context of your health condition. But there is a risk of certain people who can misuse this information. There are certain diseases which come with social baggage; so if this information is being leaked or if this information is being used by someone without any gravity, there is risk of creating different issues in the country,” he said.
The other potential risk is, the private information gathered by different entities can be sold out to the financial, health, and insurance institutions as a business element, Mr. Perera said.
“When your personnel information is being taken by an institute, that institute has to give you a valid justification on that information is only going to be used for the purpose which information is given,” he said.
Data privacy violations in the times of Covid-19
Speaking to the Daily Mirror, President of the Information Technology Society Sri Lanka (ITSSL) Rajeev Yasiru Mathew said that due to the re-emergence of the COVID-19 virus, many business institutions such as super markets collect data from customers who enter the premises adding that no proper explanation was given to the data provider of how the business intends to use that data and the protection of it.
“As ITSSL, we see the data collection process being carried out by certain parties under the guise of COVID-19 virus, when the right to privacy is not recognised by the Constitution as a fundamental human right without a Data Protection Act,” he said.
ITSSL highlighted that if the personal data collected by these parties is provided to another third party, the public may face another problem as there is no legal provision to take legal action against it. Therefore the ITSSL urged the Government to pay immediate attention to the recognition of the right to privacy as a fundamental human right by the 20th Amendment to the Constitution. The ITSSL also stated that it had been able to identify the sites which shared above details.