Article 13 of the Namibian Constitution states that:
“No persons shall be subject to interference with the privacy of their homes, correspondence or communications save as in accordance with law and as is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others”.
Written at the time of Namibia’s independence in 1990, it remains the only type of privacy guaranteed by the Namibian constitution as of today, with no amendments made to account for the growth of the internet and the need for privacy online.
Although Namibia is known for upholding rule of law, the country does not have a data protection and privacy law in place. The wake of the Covid-19 pandemic, in particular, has highlighted the importance of the data protection law as incidents of data violations and breaches became prominent.
Background on data collection and Covid-19 in Namibia
Namibia reported its first Covid-19 cases in March 2020 and under WHO’s guidance the country adopted the contact tracing and surveillance system. Surveillance for Namibia meant getting “insight into the diverse meaning of how Covid-19 contact tracing data is collected and reported, is vital to understanding the opportunities and challenges to improving public health in Covid times”.
However, Covid-19 reporting and detection in Namibia alone, invited a different welcome altogether. Blinded by the need to protect themselves, many Namibians took to social media, asking government through the Ministry of Health to set aside privacy and client consent and name those infected by Covid-19.
This call drives do not only reveal the cracks in the level of knowledge on privacy matters especially in the digital era where the identity of those named are unlikely to never be forgotten, but also drove the issues of stigma earlier associated with Covid-19 then. But also, the call for the registry at the time, revealed one of the many frustrations from the public about the contact tracing and surveillance system in place.
As an additional measure to contain the spread of the virus, government released new guidelines on April 30 2020, including the provision that “Businesses are required to keep clientele log to assist with contact tracing.” Implementation of the guidelines kicked off immediately requiring businesses and public establishments to take down people’s data (names, national ID numbers and contact information). However, no corresponding guidelines on data protection law were passed immediately, nor was substantive training on handling of the data at processing level conducted. This meant data protection during Covid-19 became even more problematic.
The issue of public registers in totality was heavily criticised by the media immediately upon implementation. The Windhoek Observer heavily lamented the move saying: “Namibia has neither the resources nor capacity for metadata processing”. In criticising the move, the newspaper further criticised that the exercise was intrusive and exposed people to identity theft. The fear for identity theft was revealed as a reason for why many Namibians were leaving fake names and identities in the registers.
Women harassment, targeted advertising and a case of stolen data
Despite harassment for women online happening frequently, it seems the issue has not been taken seriously even during the pandemic.
The very first case of data breach, that led to harassment made rounds on Twitter in early April where a young woman received unsolicited contact as a result of leaving her information at a shop register in Oshana region.
This incident confirms the findings of the Internet Society Namibia Chapter of July 2020 that revealed that the lack of cybercrime and data protection legislation in Namibia puts women at risk of violence, and in vulnerable positions in the cases of non-consensual image sharing (also known as revenge pornography), as well as with regard to online blackmail and sexualised hate speech.
Another but more general case of data protection and breaches incidents related to Covid-19 , is one narrated by *Mary Haufiku below who took to Facebook in early April, conveying her concern about the usage of her data she had left at a public establishment. She complained that the exercise has left her spammed with targeted advertisement by a specific car dealer.
The tip of the iceberg in public data collection was another case reported by the media, when the Namibian newspaper wrote that “a Covid-19 customer register was allegedly stolen from the Namibia Fish Consumption Promotion Trust (NFCPT) fish shop at Ondangwa by unknown suspects over a weekend’. While no follow up to this article was further reported, this incident alone makes it challenging to fully track progress alone or the usage of the stolen data in Namibia in general.
Data Collection, perception and public response
Apart from the physical forms of data collection, there have been electronic forms of retaining data too. From March to November 2020, few digital interventions were created to record data particularly at retail shops. While confidential contact tracing applications can be good tools for public health; cases such as those highlighted above of unsecured registries put the public into a vulnerable position.
In reporting about the innovations, the media has been reporting from an innovation aspect and disregarded potential threats to data privacy such as the standards that the applications held themselves to. It’s important that the media and public should care about data privacy especially on a background of a privacy bill on the cards.
Data protection: training, regulation during Covid-19
Furthermore, a government Gazette of 23 September 2020, has set out further measures of contact tracing, however even these do not speak to issues of data privacy and protection.
However, the gazetted regulations have set punitive means for those contravening the measures as; that for breaking the law, establishments could pay N$ 2000 or face six months imprisonment. 6 (a) requires person(s) to keep the register in a safe place for the duration of the State of Emergency. Sub (c) does state that such ‘information’ is confidential and may not be disclosed to any other person except as provided in paragraph.
The issue of the validity of the regulations have been raised and questions such as to what will happen to such data after the state of emergency needed to be further interrogated.
Covid-19, digital and data protection
In September 2020, the Ministry of Health and Social Services, and partners – including the Namibia Statistics Agency (NSA) – launched an online Covid-19 Information Hub. While available to the public, the hub does not contain personal data, however it only contains statistics on Covid-19 cases, graphs and information about the virus in Namibia.
The hub neither shares any information about data protection or how citizens and retail shops can protect their data. Information is also not provided on what happened to the books from retail shops and various establishments containing people data.
However videos with customer’s data have circulated on Tiktok and Whatsapp showing how easy for citizens or businesses to access and misuse personal data. There is no protection of data at different establishments, and it has been easy to scan through people contact details for example as seen in the video presented.
In concluding, as Namibia look towards finalising legislation on Data Protection and Privacy, Covid-19 has demonstrated an urgent need not only to speed up work on the bill, but to ensure it addresses the data privacy and protection issues uncovered during the pandemic. Furthermore, public education and awareness need to be prioritised on how personal data is collected and disseminated, and can be protected. Further close collaboration across all sectors by different players needs to be strengthened as Data Protection is a multi-sectoral work that apart from data owners, also involve diverse data processors and collectors as well as data regulators and retainers.
Happy Data Protection and Privacy Day, Namibia!
*This article is an extract of research on an exploratory study on data protection in Namibia during Covid-19. The research was carried out with financial support by the Africa Digital Rights Fund, managed by Collaboration on International ICT Policy in East and Southern Africa (CIPESA).
*Nashilongo Gervasius is an ICT, Media and Communication Consultant and Managing Consultant at NamTshuwe Digital. She can be reached on firstname.lastname@example.org