Information Technology–Based Tracing Strategy in Response to COVID-19 in South Korea—Privacy Controversies

Amid the global coronavirus disease 2019 (COVID-19) outbreak, South Korea was one of the next countries after China to be affected by the disease. Confirmed cases in Korea were first reported on January 20, 2020, and spiked from February 20 to 29, 2020.¹ Instead of deploying aggressive measures such as immigration control, lockdown, or roadblocks, South Korea mounted a trace, test, and treat strategy.² This was made possible by the preparations that the country had made after the Middle East respiratory syndrome (MERS) outbreak of 2015.

South Korea extensively utilized the country’s advanced information technology (IT) system for tracing individuals suspected to be infected or who had been in contact with an infected person. Such measures helped flatten the curve of newly confirmed cases and deaths around mid-March.^1,2(pp4-5) As of April 21, 2020, there had been 10 683 confirmed cases of COVID-19 in South Korea, with a total of 2233 patients who are in isolation because of hospitalization or quarantine, and a total of 237 deaths.³ However, important concerns have been raised over privacy involving the tracing strategy.

IT-based epidemic containment strategies could include documentation, modeling, and contact tracing.⁴ To engage in documentation, the Korean government developed a customized app for quarantined individuals and required them to report their health status on a regular basis, and, with aggregated location data, modeling efforts were also made to locate potential sources of community-acquired infections. Korea’s focus, however, has been on tracing infected individuals and also those who had been in contact with an infected individual. A major legal obstacle in deploying measures of contact tracing could have been Korea’s stringent data privacy law.⁵ The Personal Information Protection Act (PIPA) of 2011 in principle bans the collection, use, and disclosure of personal data without prior informed consent of the individual whose data are involved.

The 2015 MERS outbreak, however, triggered amendments to the Contagious Disease Prevention and Control Act (CDPCA) and, with the amendments, the CDPCA was given authority to override certain provisions of the PIPA and other privacy laws. Thus, under the current CDPCA, public agencies including the Ministry of Health and Welfare (MOHW) and Korea Centers for Disease Control and Prevention (KCDC) can, at the outbreak of a serious infectious disease, collect, profile, and share 7 categories of data (Figure) that pertain to infected individuals or those suspected to be infected. Specifically, the data that can be collected include location data (including location data collected from mobile devices); personal identification information; medical and prescription records; immigration records; card transaction data for credit, debit, and prepaid cards; transit pass records for public transportation; and closed-circuit television (CCTV) footage.

The KCDC can share the data with central, municipal, or local governments, national health insurance agencies, and health care professionals and their associations. The KCDC must also transfer a part of the 7 categories of data (Figure), including immigration records, card transaction data, transit pass records, and CCTV footage, to national health insurance information systems and other designated systems. Based on this mandate and authority, in March 2020 the KCDC launched the COVID-19 Epidemiological Survey Prompt Support System for enhanced contact tracing. This system enabled prompt delivery of data pertaining to infected individuals to epidemiology investigators immediately after requisite data were collected from the police, mobile carriers, and credit card companies on a near real-time basis.

Furthermore, at the outbreak of a serious infectious disease, the MOHW must promptly make publicly available on the internet or through a press release the following information: the path and means of transportation of infected persons; the medical institutions that treated infected persons; and the health status of those in contact with an infected person. The current disclosures on the MOHW home page include, in addition to these items, the sex, nationality, and age of infected persons, although their names are not revealed. Certain municipal and local governments, however, went further and provided highly detailed routes as well as the names of restaurants, shops, and other business premises that infected persons visited.

The locations of infected individuals attracted extensive news coverage at times. For some cases, the general public engaged in profiling and unveiled or inferred embarrassing personal details. Reidentification allegedly took place on a few occasions. Some of these individuals were affected by unwanted privacy invasion and even became subject to public disdain. Restaurants, shops, and other business premises that infected individuals had visited often experienced abrupt loss of business. Concerns were raised regarding the uneven scope and granularity of disclosures by municipal and local governments.

On March 9, Korea’s National Human Rights Commission issued a recommendation with a view to ameliorating privacy concerns, suggesting that the revelation of exceedingly detailed information was unwarranted. In response, on March 14, the KCDC issued a guideline to municipal and local governments, limiting the scope and detail of the information to be disclosed.

Data sharing about infected individuals within the public sector and among medical professionals confers epidemiologic benefits. In containing the spread of a highly infectious disease like COVID-19, an early response is critical. The use of an integrated IT system helped epidemiology investigators save resources by automating the overall tracking processes. Because Korea was coping with a massive pandemic, it had a justifiable reason to collect and share data. After this unprecedented outbreak is over, however, the legal system could be further refined to facilitate the use of aggregated data rather than individual-level data to deter misuse of the data.

In particular, the specific epidemiologic benefits from extensive tracing and disclosure should be reassessed. For instance, determining the places an infected person has visited is important for epidemiologic reasons. However, rather than reveal those data to the public, the information could be used to disinfect the establishments and, that way, stigma and a decline in business could potentially be prevented. That is, rather than disclose precise locations of an infected individual to the general public, less granular data could be disclosed, with the same effect on tracking and quarantine. Concerns could be raised in the process regarding the lack of transparency from the government, and such concerns could be addressed by devising a suitable privacy-preserving methodology that ensures trustworthiness at the same time.⁶

Other countries may try to develop systems similar to the one used in Korea. It is critical to balance the need for information to test, track, and quarantine with legitimate privacy concerns. The experience in Korea demonstrates the usefulness of an IT system in aggregating a wide range of both medical and nonmedical data in the process of containing the spread of a highly infectious disease. In doing so, the legal and technical infrastructure served as a crucial enabling factor. At the same time, certain adverse effects were observed from the measures used. Further refinements are needed to better protect the privacy of infected individuals while not sacrificing the effectiveness of the measures taken.

Corresponding Author: Haksoo Ko, JD, PhD, Seoul National University School of Law, Gwanak-ro 1 Gwanak-gu, Seoul 08826, Korea (hsk@snu.ac.kr).

Published Online: April 23, 2020. doi:10.1001/jama.2020.6602

Conflict of Interest Disclosures: Dr Ko reported receiving grants from the Research Fund of the Seoul National University Law Research Institute. No other authors reported disclosures.