How is your data protected and processed in the EVDS?

How is your data protected and processed in the EVDS?

South Africa has adopted a digital approach to the rollout of the Covid-19 vaccine, with the implementation of the Electronic Vaccine Data System (EVDS). While this system is designed to streamline the process and improve the tracking and tracing of vaccines across the country.

It also has raised important questions around how the data collected by the system will be processed, and how it will be secured and protected. Healthcare data is a lucrative business for cybercriminals, and the EVDS collects multiple pieces of personally identifiable information. Without adequate protection, this data could easily be compromised.  

“The EVDS is an attractive target for those with malicious intent because health data is extremely sensitive and therefore fetches a high price on the black market. The system also has multiple stages, from collection to storage, as well as processing and analysis, and therefore multiple potential points of vulnerability. Data management is crucial when sensitive information is involved,” says Simeon Tassev, MD and QSA at Galix.  

Registration on the EVDS requires people to enter unique identifiers, such as their name, surname, ID number and contact number, as well as medical aid scheme and membership number if applicable. All of this information could be used for identity theft, which makes it very valuable.

Despite the enactment of the Protection of Personal Information Act (PoPIA), the EVDS registration site fails to inform users of the purpose for which their data is being collected, and of the processes that are being used to protect it.  

“Aside from the security and compliance components, this sensitive data is a matter of public record, which means that it needs to be treated according to records management best practice. This includes anonymisation to ensure it cannot be used by the wrong people, even if they manage to gain access to it.

The ramifications of a data breach around the EVDS would be considerable, and the government needs to take all possible steps to ensure that this does not occur,” adds Gareth de Laporte, Channel and Alliances Manager at Micro focus and privacy and data governance subject matter expert.  

The EVDS is also being used to track vaccines from delivery to administration, which is valuable data for vaccine manufacturers and could potentially be sold to competitors if it is breached. Those with malicious intent could even hack into the system and sell vaccine slots to desperate people who wish to skip the queue. There is a lot of potential for misuse and abuse of the data, a fact that needs to be addressed.  

“The analysis of information is another important factor. What is the information being used for? Where is it collected, where is it processed and where does it end up? What are the vulnerabilities in transit? There are also PoPIA compliance issues, since data can only be used and analysed for the purpose for which it was intended, and this must be specified. With the personal information of millions of members of the public stored on a single information system, the protection of this system must be of the highest priority,” says de Laporte.

Records keeping, compliance, data protection, encryption at source and database protection are only a few of the factors the EVDS needs to incorporate. Has enough been done to protect the public’s sensitive data? And who is liable if the data is breached or used for a purpose that it was not intended for?

There are various technologies available from local partners and service providers that would mitigate all these risks, in line with both local and international compliance and privacy requirements. This includes securing data to prevent unauthorised access, encryption and anonymisation of records and end-to-end management.  

“Hacking into a system like the EVDS is the digital equivalent of rummaging in the trash. It is dirty but often simple and profitable, and the information gained and sold fuels a plethora of unsavoury activities, from organised crime to identity theft. Personal information must be kept confidential and the public needs to feel safe that their information is secure. There needs to be greater transparency around this, especially in light of the many highly publicised attacks on government systems over the years,” Tassev concludes.