How Asia’s digital governance beacon balances data privacy and the ‘public good’ – The Diplomat

Health care in Taiwan is extremely good. It is not difficult to find claims that the country’s national health insurance system is one of the best in the world, whether in international league tables or Taiwan’s inclusion in Ezekial Emanual’s recent book “Which Country Has the Best Health Care in the World?”The COVID-19 pandemic has also demonstrated the strength of health care in Taiwan. The island nation of 23.5 million people avoided lockdown for the whole of 2020 and, despite outbreaks in 2021 and 2022, maintained one death per million people, comparable to New Zealand.

Taiwan is built around a mandatory single-payer insurance scheme, which is supplemented by (small) out-of-pocket payments for seeing doctors. The system now covers 99% of the population, and since its rollout in 1995, the national health insurance system has helped reduce regional income and health inequalities. The system is not without challenges, however. It is chronically underfunded and understaffed, and Taiwan’s aging population only compounds this problem.

Taiwan has also recently been seen as a beacon of “digital democracy” and good digital governance in Asia, not least thanks to the efforts of Audrey Tang, today Taiwan’s premier digital minister. But a decade-long court case has challenged Taiwan’s reputation for responsible digital governance and strong medical care. The conduit for this conflict has not been the insurance system itself, but the abundant data on the health of citizens produced alongside its operation. A central database, known as the National Health Insurance Database (NHID), was established by the Taiwan National Bureau of Health Insurance (BNHI) in 1998. The database now contains an immense amount of data, including identification numbers, demographic information and complete information. the medical records of approximately 99% of Taiwan’s population.

This data has been increasingly available to researchers since 2000 to promote medical research in Taiwan, with the ability to link this data to other government databases. As the Taiwanese government strives to promote the “value-added application” of data in the public sector, the prospect of commercial use of INDH data by private sector companies has been repeatedly raised. by senior government officials.

The idea of ​​reallocating citizens’ health data into the NHID has long drawn ire from human rights activists in Taiwan, who worry about users’ right to privacy. Although Taiwan’s personal data protection law generally prohibits the use of sensitive data, there is an exception in Article 16 of the law that allows the use of sensitive data when “necessary for statistics or academic research by any government agency or academic institution for the purposes of health care, public health, or crime prevention Section 16 has been used by the National Health Insurance Administration of Taiwan to justify researchers accessing the NHID without permission or the right to opt out of the individuals concerned.

Like this article ? Click here to register for full access. Just $5 per month.

As early as 2012, the Taiwan Human Rights Association sued the database after some citizens’ requests not to share their data were denied. In 2017, Taiwan’s High Administrative Court ruled against the Taiwan Human Rights Association, siding with the database. In response, the association attacked Taiwan’s personal data protection law itself, calling it unconstitutional and a violation of individual rights. They submitted a new case, this time to the Constitutional Court of Taiwan.

The Taiwan Human Rights Association made multiple arguments in its petition for constitutional interpretation. First, they noted the lack of administrative systems to regulate how data can be used and what type of research counts as “public interest.” Activists questioned whether all the research could really justify a potential breach of privacy. The section 16 exclusion provides little guidance on what exactly is “necessary,” and neither does any law.

This echoes a common refrain from critics of the Taiwanese government’s protection of individual liberty, in which the absence of clear legal guidelines gives way to excessive government power. Such an argument succeeded in halting the rollout of electronic ID cards in Taiwan before new data protection laws were put in place. Similar objections also succeeded in limiting the rollout of social media platform regulation in Taiwan before new laws could better define what fake news and content should be removed by platforms.

Importantly, the Taiwan Human Rights Association also noted the possibility of re-identification of anonymized data through cross-referencing with other government datasets, which would make the publication of the entire data for researchers a potential breach of privacy. The issue of re-identification of seemingly anonymous data has long been a global problem: In 2006, AOL provided researchers with a set of user data they thought was anonymous, but by cross-referencing certain characteristics of the data, the researchers were able to identify almost every person in the data set. Although the National Health Insurance Database has claimed that the de-identification process is rigorous, this claim will only be truly tested if a re-identification event occurs – by which time it is already too late.

After years of waiting, in August this year, the Constitutional Court finally issued its decision. The result is generally in favor of citizens’ rights to privacy and self-determination of information, but not entirely satisfactory to the most progressive human rights activists. In the judges’ view, the section 16 exclusion itself was still constitutional. However, the judges found that the lack of opt-out channels and institutions to protect citizens’ privacy when sharing public health databases was problematic. Therefore, the Court has now mandated the establishment of an independent oversight mechanism and clearer legislation regarding when sensitive data can be used.

Similar to the ID card and content regulation cases mentioned above, this ruling once again shook up some of the fuzzy legal lines and unclear guidelines that have plagued Taiwan’s administrative system since the country’s transition away. of authoritarianism more than three decades ago. When it comes to how data and information is used and processed, the Taiwanese government is increasingly under pressure to come up with clearer rules.

That said, regarding the issue of anonymization, the court ruled that as long as the data could not be “directly re-identified,” there was no problem. This leaves the door open for future privacy breaches by cross-referencing multiple datasets. This will likely be an issue of increasing concern as more and more data is amassed by the state. In sum, the Taiwan Human Rights Association, and privacy advocates more broadly, won a moderate, if not complete, legal victory.

The latest decision represents a growing debate, both in Taiwan and around the world, about the right balance between sharing citizens’ data to create greater socio-economic value and respecting citizens’ privacy. Governments around the world must balance the proposed benefits of good governance and innovation that access to data can bring, with individual rights to control our visibility into the increasingly ubiquitous private and government spreadsheets that inform decision-making in the age of big data. . This problem has been highlighted during the pandemic, where track and trace systems have been deployed as a means of preventing infections, to the anger of many worried about government tracking. Originally, Taiwan weathered this storm rather well, rolling out a system born out of collaboration between civil society and government actors that used third-party databases to anonymize personal data. Indeed, Taiwan’s early success in preventing the pandemic is in part due to the constant and intense surveillance under which all who arrive in Taiwan have been placed during their mandatory quarantine.

Although in the NHID case, human rights defenders won a victory that will also be a victory for administrative clarity in Taiwan, it is important to take the other side of the debate seriously as well. For example, some medical researchers have pointed out that the potential for an opt-out mechanism can create biases in the data because the parts of the population most likely to opt out are not random. Specifically, people with marginalized medical identities – such as people with HIV, a population in Taiwan that has historically been under intense medical scrutiny – will most likely be more proactive in using any opt-out mechanism. Whether that would be a blow to HIV research or to broader research that hopes to take into account the effects on populations living with HIV in Taiwan remains to be seen. The answer will depend both on the adoption of opt-out options by certain populations, but also on the ability of researchers to come up with new statistical counterweights to help address potential sample biases. Either way, it is at least worth celebrating that future research will be undertaken with the consent (even if only tacit) of the population in question to be part of such studies, which should be considered a victory for research ethics.

Taiwan’s move puts the country more closely in line with guidelines that exist in the United States, which has protected all personal data since the Health Insurance Portability and Accountability Act in 1996, and the Union European Union, which has similar protections under the General Data Protection Regulations passed in 2016. The Constitutional Court has now given the Taiwanese government three years to pass new laws regarding surveillance, data use and a mechanism for withdrawal. The details of these laws have yet to be revealed and the future of such regulation is still somewhat uncertain. Exactly who can opt out, and under what circumstances, will now be determined by lawmakers, who will also have to decide on exactly what use of the data is in the public interest. It will be crucial for privacy advocates and anyone interested in the issue of data governance to keep an eye out for new laws that are expected to pass in the coming years.