With the July 1 opening of vaccine registration for those aged 50 to 59, more than 4.8 million more people can now register on South Africa’s Electronic Vaccination Data System (EVDS). They will join a few million others before them who have also provided personal information including their names, ID numbers, cellphone numbers and medical aid numbers if applicable.
Concerns around South Africa’s Electronic Vaccination Data System (EVDS) have simmered since the launch of the Covid-19 vaccine registration platform on April 16.
Questions have been asked about SMS delays, scheduling of appointments far from people’s homes, low registration rates in some areas and alleged queue jumping on the EVDS, which was designed to manage multiple aspects of the health department’s national vaccination campaign.
With the July 1 opening of registration for those aged 50 to 59, more than 4.8 million more people can now register on the EVDS. They will join a few million before them in providing personal information including their names, ID numbers, cell phone numbers and medical aid numbers if applicable.
Prompted through a user-friendly, web-based platform, they will upload this data with a vision of getting a vaccine and thereby both protect their own health and contribute to the fight against Covid-19.
Without looking closely at the EVDS’ terms and conditions, however, few of these users know where their data is being housed, what safeguards protect it, and who is responsible for the programming, design and management of the system.
“We live in a time where cybercrime is prominent globally. The kind of information that is collected on the EVDS, if it falls into the wrong hands, could potentially cause a lot of damage,” says Darelle van Greunen, director of the Centre for Community Technologies at Nelson Mandela University.
Among these risks are identity theft and ransomware attacks, the latter of which may require the health department to pay cyber criminals in order to recover stolen EVDS user data.
Alongside cyber risks are issues around EVDS user consent and security policies. As the Protection of Personal Information Act (Popia) comes into force and digital policies evolve, some feel that transparency around the system could shift focus from criticism to pride in what the EVDS can accomplish.
A complex system
“There are thousands of people working very hard under difficult circumstances to make this system work,” says Nicholas Crisp, deputy director-general in the national department of health, who oversees the EVDS.
It is a complex system, he says, that involves a public-facing registration portal and SMS communications. It also keeps track of the vaccination process, including vaccines stocks, the individual lot and batch number of vaccines given, and any adverse events reported. It also tracks whether vaccinations are paid for by the state or by private medical aid.
Throughout these processes, a team of health department staff, private service providers and healthcare workers on the ground interact with user data, identify bugs and answer queries.
Among them is Mezzanine, a digital technology company and subsidiary of the Vodacom Group. Mezzanine manages EVDS programme updates and adaptations arising from real-time usage and from new cohort additions.
“The team doing the programming work is working to fix bugs and answer queries,” says Crisp.
“When we’re going live with registration, they’re prepared and doing test runs behind the scenes to ensure that there are no data problems.”
Crisp says Mezzanine was contracted for the work under the National Treasury Vodacom RT15-2016 Transversal contract.
Its work is supplemented by a team at the CSIR, which manages EVDS data at its in-house facility. Crisp says that the partnership was established through a memorandum of understanding between the CSIR and the health department.
Both the CSIR and Mezzanine declined to comment for this article, referring queries to the health department.
Supporting the NHI
The health department is responsible for SMS delivery and acts as the owner of all data and components of the EVDS.
“We use the National Health Insurance [NHI] data centre at the CSIR, and all programming hardware and software belongs to the NHI,” says Crisp.
According to him, the EVDS was only possible thanks to the development of the NHI digital backbone over the past five years. Indeed, the service links with the NHI to support government’s larger aim of advancing universal health coverage.
Speaking at the EVDS launch, Health Minister Zweli Mkhize – who was put on special leave by President Cyril Ramaphosa amid allegations of his involvement in the awarding of irregular Covid-19 contracts to companies belonging to his former associates – said it would support “systems for identity verification of users of the health system [both public and private], expanding the capabilities of the Health Patient Registration System [HPRS]”.
The HPRS, which was initiated in 2014 by the health department, is an electronic system to register all patients using health facilities. Collecting personal data similar to that captured by the EVDS, it makes it possible to track patients for improving quality and continuity of care.
“What we’re learning in the EVDS process is more information about patient records and how to improve our master list of healthcare facilities across the country,” says Crisp.
With the implementation of Popia on July 1, Van Greunen says this linkage raises questions around consent.
“With Popia, you need to be informed immediately about what your data is being collected for and what processes are in place to protect your data,” she says.
Because there is so little upfront detail with the EVDS on its home page, for example, “you don’t know what you are consenting to and who has access to your data”.
Therefore even though Mkhize has publicly stated that the EVDS may be used to expand the capabilities of the HPRS, it is possible that some people who register on the EVDS are unaware that the data they provide might be linked to the HPRS and be helping to build the data infrastructure for the NHI.
The EVDS complies with all requirements and safeguards of Popia, says Crisp.
He confirmed there being several safety measures in place, such as firewalls, blockchain security and physical security of the data centre. The EVDS is also regularly audited by the Auditor-General.
“I’m comfortable that it’s secure and I know that the Auditor-General is comfortable that it’s secure,” Crisp said.
According to the Auditor-General’s office, the findings of its audit will be released when it tables its 2020/21 consolidated general report on national and provincial – Public Finance Management Act – audit outcomes next year.
But even the best security has vulnerabilities.
Global rankings place South Africa 59th among 182 countries for cyber security – and at eighth place on the continent. Among the risks faced are ransomware attacks, which can cost many millions.
“Since the start of the pandemic, we’ve seen more ransomware attacks, which is a worrying aspect for the EVDS,” says Brett van Niekerk from the School of Mathematics, Statistics and Computer Science at the University of KwaZulu-Natal.
Ransomware often involves a cybercriminal holding data hostage until a ransom is paid. If the ransom is not paid then that data remains unavailable.
“Because the EVDS manages all vaccine information, government might be likely to pay out in a ransomware attack,” he says.
However, the risk of cybercriminals stealing user data from the EVDS may be low.
“I struggle to see any direct usability of the data that would warrant criticism from the security community,” he says.
The right direction
That wasn’t the case with government’s originally proposed Covid-19 track-and-trace system, which would have used location data supplied from mobile networks.
Concerns were raised almost immediately because “location data can be used to create detailed and invasive records of a person’s movements, public and private activities, and personal contacts”, a report from the Media Policy and Democracy Project showed.
Government ultimately abandoned that approach, but the report said the policy developed around it “represented a step forward in how the South African state thinks about policy safeguards”.
Since then, government has implemented an alternative track-and-trace system that does not make use of location data and which includes stronger privacy safeguards.
Van Greunen, who consults with the health department on various information and communications technology projects in the Eastern Cape, is confident that they are taking the matter of security seriously. However, she says, there is still is a lot at stake to getting the EVDS right.
“As much as security is of the highest priority, we need to create a balance in terms of serving a massive humanitarian need and getting as many people registered as possible,” she says.
“If they don’t get it right, we lose the willingness to register, the willingness to go for vaccines and the whole fight against the pandemic is probably at stake.”
This article was produced by Spotlight – health journalism in the public interest.