South Korea has acknowledged it is permanently keeping data on patients from a previous virus epidemic, worrying privacy advocates that the government is sidestepping legal safeguards protecting personal information.
The data is from those who were infected with the Middle East respiratory syndrome, or MERS, in 2015. The largest outbreak outside the Middle East was South Korea. That outbreak led the country to launch a robust contact-tracing program that health officials currently use to fight the new coronavirus.
But South Korea’s Personal Information Protection Act says that after such data has been used, the government must delete them without delay.
“When the outbreak ended, public opinion was that the government should take follow-up measures to address any complications or patients’ health issues even after they are released from treatment,” Kwon Jun-wook, director of the National Institute of Health, said in response to NPR’s question at a news conference earlier in June about what happened to MERS patients’ data.
“So,” he concluded, “the government and health authorities decided to retain the patients’ information permanently.”
The personal information includes names, age, gender, occupation and contact details, according to an official response to an inquiry from the Korean Progressive Network, a civic group in Seoul.
Authorities did not say what happened to other information collected by the government, including credit card records, cellphone location data and surveillance camera footage.
In a democracy that claims to protect data privacy, as South Korea does, the only justification for granting the government broad rights to collect and store personal data is an emergency, argues Seo Chae-wan, an attorney with civic group Lawyers for Democratic Society.
“Several years have passed since the last MERS patient,” he says in an interview, “and it seems clear that the government is violating that limitation.”
Oh Byoung-il, a privacy advocate with Korean Progressive Network, says the government’s handling of data from MERS has serious implications for the current coronavirus, which involves far more patients.
“It reveals a conflict,” he says, “between their declaration that they will delete COVID-19 patients’ information and the practice that they have followed so far, which is to not delete the MERS information.”
South Korea has been credited for initial success at containing COVID-19 within its borders, partly by using widespread testing and sophisticated contact-tracing technologies. The specific private data health officials collect and their practice of publicizing the whereabouts of virus carriers, however, might not be accepted in some democracies. Pushback from experts and activists has also limited South Korea’s use of some measures, such as mandatory tracking bracelets for those under self-quarantine.
Opinion polls show that most South Koreans approve of their government’s handling of the coronavirus and many are willing to give up some privacy in exchange for safety from the virus.
Still, the way data privacy advocates see it, retaining personal information indefinitely could erode the public trust in health authorities that has been a crucial asset in the country’s battle against the coronavirus.
Se Eun Gong contributed reporting in Seoul.