The Computer Society of Kenya

Since 1986



Google has introduced a Covid-19 mobile app that has appeared on all mobile handsets.  This has caused panic to many subscribers who are wondering whether they are being monitored as they go about their daily lives.

The application has a very noble purpose of trying to alert mobile phone subscribers if they have been in close proximity to some one who is Covid-19 positive.

It uses bluetooth technology - the short range, wireless technology in your TV remote control that helps flip through channels.

If two subscribers have registered and enabled both their Covid-19 mobile apps and their bluetooth, their phones would be able to exchange messages in near proximity whenever they bypass each other.

If one of the two subscribers has updated their app to reflect the fact that they are Covid-19 positive, the second subscriber would get an alert to that effect and is expected to take action, including self-quarantine.

Is this surveillance?  Yes it is.

Is it legal? That is the big question.

The Data Protection Act (2019) describes medical data as ‘sensitive’ personal information that qualifies for a higher level of protection as well as consent.

The subscriber enabling this Covid-19 app on their phone must be well informed about the risks and benefits.  The burden of informing the subscriber or data subject as they are called, rests squarely on the company collecting this sensitive personal data.

The biggest risk is always about a data breach.  What happens if, say, all the Covid-19 positive cases in Kenya registered on the app and their personal records were at a later stage hacked and disclosed on the internet?

Since it is not criminal to be Covid-19 positive, the decision to disclose a patient’s status, like all other medical details remains the patient’s prerogative and a data breach would be a violation of patient confidentiality.

Another risk would be the abuse of the data by whoever is collecting it.

This abuse may come in form of authorised personnel accessing the data and using it for purposes other than those disclosed at the point of on-boarding subscribers.

Typically, employees of the company collecting and hosting can use their access and illegally mine or sell this medical data to third parties without express authority from the patients and other subscribers signed up on the mobile app.

The final risk that comes to mind is about keeping the data updated. How does the app support change of status to reflect the fact that a patient has recovered or passed on? A harder question would be how do you stop unscrupulous spammers who will subscribe and declare fake status – either false positives or false negatives?

If the framework for handling these challenges is not well documented and managed, the mobile app may end up causing more confusion and panic rather than resolving the original problem.

These are the sort of questions the Kenyan Data Commissioner should be tackling on behalf of Kenyans before determining the legality or the effectiveness of the tool.  

In the absence of such assurance, one can only say – buyer, beware.

Share this page