South Korea deployed extensive digital surveillance technologies in fighting coronavirus and it worked: the country has contact-traced thousands of potential patients to test and isolate them before they could unwittingly infect others. The combination of aggressive tracking and early testing allowed the country to flatten the curve and curtail the fatality rate to a third of the global equivalent. Its success shows that countries with comparable capacities can and should adopt apposite surveillance strategies for infectious disease outbreaks, with an eye to minimizing potential privacy costs.
South Korea’s tracking strategy relies heavily on its digital infrastructure. Authorities access a wide range of data — smartphone location history, credit card transactions, immigration records, and CCTV footage — of confirmed patients to compile meticulous logs of their travels and contacts. Certain conditions make this possible: the country ranks among the top in the rate of cashless transactions, mobile phone ownership, and CCTV coverage. In late March, South Korea also launched a centralized data collection platform — devised by the ministries of health, infrastructure, and science and technology — that would diminish the tracking time to under 10 minutes per patient.
The level of detail in these logs is noteworthy. On March 7, patient #8074 — a 21-year-old male and a contact of patient #7923 — went to a 7-Eleven by the entrance to Seoul University from 3:59 to 4:11 a.m., after drinking for two hours at a nearby bar called “Tomo Izakaya.” The log adds that both locations have since been disinfected and were safe to access. That same day from 19:12 to 21:39 p.m., patient #7939 watched The Invisible Man at a movie theater near Sungshin Women’s University; he sat in the last row and did not wear a mask.
South Korea attributes much of its success in containing COVID-19 to its digital surveillance. Once collected, the data is used by health authorities to contact-trace and released to the public to minimize activity in virus hotspots. One scholar noted that sharing the tracking data is “an effective way for the authorities to gain public trust.” Indeed, a Realmeter survey in March found that 89.1 percent of the public supported the government’s tracking practices.
But the richness of this data has also raised concerns about privacy infractions. While anonymized, movement histories in some cases are sufficiently detailed for the public to probe into and reveal the patients’ identities. This “witch-hunt” has generated a widespread fear of stigma: A recent survey by Seoul University showed that South Koreans were more afraid of the “criticisms” they may suffer from being infected than contracting the virus itself. A growing appetite for “outing” patients has also led to leaks of their private information — much of it speculative or false.
Against this backdrop, the country’s National Human Rights Commission (NHRC) called for new guidelines on pandemic surveillance. It claimed that the logs of patient travels and contacts were “unnecessarily specific,” causing psychological injury to the patients and discouraging self-reporting among those with symptoms. Crucially, the NHRC condemned the indiscriminate publicization — rather than collection — of personal data. It recommended aggregating all patients’ footprints over time and redacting individual-specific information on age and gender.
In response to these developments, the Center for Disease Control and Prevention (KCDC) released new guidelines for patient data collection and disclosure on March 14. Three updates were notable: (1) the logs should be time-limited from one day before the symptoms occurred until the date of quarantine (or if asymptomatic, one day before the quarantine); (2) the range of contacts traced should be determined based on the patient’s symptoms, exposure conditions, and timing; and (3) “personally identifiable information” — including work and home addresses — should be excluded in public disclosures. The director of the KCDC, Jeong Eun-kyeong, promised continued vigilance in examining and improving these guidelines: “We will balance the value of protecting individual human rights and privacy and the value of upholding public interest in preventing mass infections.”
South Korea’s experiment in pandemic surveillance provides important preliminary insights for democracies seeking to adopt similar measures against COVID-19. Among them, two stand out.
First, South Korea’s surveillance practices are mandated by a bespoke legal regime that is tailored to the demands of modern epidemics. In the aftermath of the MERS outbreak in 2015, the country’s legislators saw the need for a swift government action and correspondingly amended the Infectious Disease Control and Prevention Act (IDCPA). Notably, the revisions allow the health authorities to collect data of confirmed and potential patients during infectious disease outbreaks while granting the public a “right to know.” To this aim, the health ministry must “promptly disclose information” — such as movement paths and contact history of the patients — to the public. These legal provisions legitimize the government’s tracking strategy and mobilize the public’s cooperation in data collection and use.
Second, South Korea regularly updates its guidelines for pandemic surveillance in consultation with relevant agencies and, critically, the public. It took the KCDC less than a week to update its instruction on protecting patient privacy following the NHRC’s recommendation. By narrowing the spatial and temporal scope of patient data, the KCDC demonstrated its awareness of and willingness to address privacy concerns. It also opened channels for patients to directly petition for a review of their logs, allowing for corrections on a case-by-case basis. The transparency with which the government has adapted its surveillance practices inspired public trust in an endeavor that would otherwise have aroused suspicion.
Above all, South Korea’s experience illustrates that surveillance technologies themselves are not the answer to pandemic response; rather, how they are deployed matters. Establishing the legal boundaries of surveillance and developing best practices through public conversations are two ways democratic governments can strive toward a balance between public safety and individual privacy. Other democracies must start this discussion now to tackle today’s — as well as tomorrow’s — pandemic.
Eun A Jo is a Ph.D. student in Government at Cornell University.