Some thoughts on the COVID-19 Telehealth Portal.
These are personal observations/comments and are (primarily) intended to seek answers from authorities concerned.
Also, they are meant to foster a debate.
[Thread]
These are personal observations/comments and are (primarily) intended to seek answers from authorities concerned.
Also, they are meant to foster a debate.
[Thread]
What's apparent is that one needs to login using his Facebook and/or Google account to benefit from a government-facilitated initiative. Personally, I find this a turn-off. There must be an option to register normally without having to associate any social media or web accounts.
Secondly, from a legal standpoint, the forced involvement of Facebook and Google automatically elevates my data security rights to an international forum (since both tech giants are US based and bound to US laws). Which brings us to the question of 'Whose law is it anyway?'
I'll now dissect the Privacy Policy for this portal, a copy of which has been archived here (for future reference): archive.vn/34Rx3
It is gleaned from this paragraph that there are two basic entities responsible for Telehealth's operations (core stakeholders):
(1) Federal Ministry of National Health Services, Regulations and Coordination.
(2) Digital Pakistan project.
(1) Federal Ministry of National Health Services, Regulations and Coordination.
(2) Digital Pakistan project.
Health info held by Telehealth is "also subject to" the HIPAA, a US law enacted in 1996 by then President Bill Clinton. Does the use of 'also' indicate that citizens data is transferred to US-based entities, hence the legal cover? HIPAA cannot be applicable within Pakistan.
The term 'state law' is taken from US legislative lingo. In Pakistan, we either use the term 'provincial' or 'federal' to clearly distinguish between different constituent components of the federation. Which one is being referred to this in this para?
Telehealth (Ministry of Health/Digital Pakistan) cannot guarantee the confidentiality of information i.e. if your data gets compromised, the federal government cannot be held responsible. Ideally, the state should act as a guarantor/guardian of citizen data from its portal.
Telehealth cannot guarantee data confidentiality whereas the types of personally-identifiable data they collect and also associated Facebook/Google accounts makes it a prized dataset for cyber criminals. Details of who retains this data (Telehealth/Facebook/Google) not clarified.
Regarding the first point, it needs to be ascertained whether citizen health data is treated as proprietary data by Telehealth or those enabling their services? Nothing clarified.
Teleheath is just a 'brand name' as specified earlier on in the policy; it isn't a department or section as such. Who are its employees and designees? The IT officers in NITB, staff at Ministry of Health, members of Digital Pakistan...who?
Concerns on 'Disclosures'.
Which law/'state law' helps us prohibit the use/disclosure of our personal data? We don't have a Data Security Law. We could invoke Section 16 of PECA but since we did in fact authorise Telehealth to obtain/transmit our info in the first place, its application is nullified here.
Reference to Pakistan as 'there' suggests this para was drafted keeping overseas users in mind; suggests data is held within Pakistan. How does it explain the relevancy of HIPAA which is a US law? Does it bind Facebook and Google to abide by Pakistani law also? Utter confusion.
Another question in the preceding context is: Who processes this data? Ministry of Health, Digital Pakistan, third-party contractors...?
This is what baffles me. When the federal authorities know fully well that we don't have a Data Security law, why introduce such a facility in the first place and risk compromise? We can't even hold Telehealth liable in present circumstances, they won't tell you that.
This para confirms that personal information (not anonymised data) is shared with third-parties. How is Telehealth sure that Facebook, Google, other service providers will not disclose our data say, for example, to US national security authorities, if ordered to do so?
The given email address for updating/correcting information mentioned in the policy is operated by the central Crisis Communication Centre (CCC) at Federal Health Ministry (Source: archive.vn/icNOP). One assumes it is the ultimate data controller.
A more blunt statement from Telehealth's End-User License Agreement (EULA) that they will NOT be held liable in case your login credentials are compromised. You're on your own. Also nullifies applicability of PECA Section 16, if there was any space!
The Government of Pakistan will not take BASIC responsibility for your data security on its OFFICIAL PORTAL against 'unauthorised third-parties' which could include state/non-state actors and maybe even additional third-parties employed by Facebook and Google!
The Government of Pakistan doesn't give a hoot if, God forbid, malicious foreign actors (state/non-state) inject the Telehealth website with viruses or trojans. Or if there's insider sabotage or mishandling involved.
'We govern you, but you can't hold us liable'.
'We govern you, but you can't hold us liable'.
What if the origins of any misuse are traced to a third-party based overseas? Will they comply to a local Data Security law which doesn't yet exist...? Where does HIPAA (US) fit into all this?
Question: To what extent is VentureDive (registered in US and Pak) involved in Telehealth?
Data analytics, platform integration...?
Source: archive.vn/9DJwm
Data analytics, platform integration...?
Source: archive.vn/9DJwm
Question: Was the NITB (@NationalITBoard) incapable of single-handedly developing and maintaining the Telehealth portal without involvement of third-parties?
Question: Is it ensured that mobile numbers fed to eOcean's SMS gateway will not be used as a proprietary commodity besides Telehealth?
Question: To what extent is Infobip involved?
In the overall context, I'll recommend you read an informative article by Syeda Uzma Gardazi (Women University AJ&K) published in the Compliance & Ethics Professional (July 2018 edition). Source: academia.edu/37096695/Role_…
Gardazi writes: "In its summary of the HIPAA Security
Rule, the Department of Health and Human Services noted that “the rise in the adoption rate of these technologies [electronic health records] increases the potential security risks.”
Rule, the Department of Health and Human Services noted that “the rise in the adoption rate of these technologies [electronic health records] increases the potential security risks.”
Gardazi: "We should enhance the awareness level and compliance within the Pakistani healthcare industry,
including information security. There is a need for compliance professionals in the Pakistani healthcare industry to review and prevent patient record breaches..."
including information security. There is a need for compliance professionals in the Pakistani healthcare industry to review and prevent patient record breaches..."
Gardazi: "The proposed Electronic Data Protection Act was a drafted and proposed in 2005 and so far not published. There is no law regulating the protection of data in Pakistan to this date."
(Zaki adds: Neither has the draft Personal Data Protection Bill been reviewed).
(Zaki adds: Neither has the draft Personal Data Protection Bill been reviewed).
Gardazi: MoIT "proposed the Foreign Data Security and Protection Act 2004 to support US and EU companies outsourcing data within Pakistan. In the absence of a Pakistani data protection law...introduction of a cybercrime law would be overwhelming for civil rights and businesses"
Gardazi: "The Pakistani Data Protection Act draft was created to beneft the citizens of the country. The draftspersons of this bill seem to have forgotten to address anticipation of future technological development."
Gardazi: "The fact that the Pakistani Data Protection Act has
still not moved forward on the floor of the assembly is incredibly worrying".
still not moved forward on the floor of the assembly is incredibly worrying".
These and similar concerns must be addressed on war-footing by the Government of Pakistan. It is incredibly dangerous and irresponsible that such adhoc e-services are being promoted for political projection in absolute disregard for a massive legal vacuum.
Unless lawmakers gather together to approve a consolidated data protection law, it is ill-advised for the federal govt to partake in such e-services. If the govt cannot even take basic responsibility for citizens' data, it shouldn't collect it in the first place.
As law-abiding citizens living elsewhere, we look up to our federal government to give us an all-encompassing shield against threats of various types while ensuring provision of e-services. 'Digital Pakistan' should not be treated as a PR exercise for a handful of PTI elements.
It is deeply insulting that the federal government is promoting a pandemic-related e-service while completely absolving itself of any and all liabilities. As in all countries elsewhere, the incumbent political leadership WILL have to take full ownership of its initiatives.
I hope to have my concerns addressed. I have full confidence on our leadership but 'leaders' are supposed to carry heavy burdens of responsibilities. Also, I request political/bureaucratic elements not to think of ordinary citizens as idiots. We can read between the lines. [End]
@threadreaderapp unroll
