Concerns around South Africa’s Electronic Vaccination Data System (EVDS) for Covid-19 have simmered since its launch on 16 April. Designed to manage multiple aspects of the Department of Health’s national vaccination campaign, questions have been asked about SMS delays, scheduling of appointments far from people’s homes, low registration rates in some areas, and alleged “queue jumping”, to name just a few.

With the 1 July opening of registration for those aged 50-59, over 4.8 million more people can now register on the EVDS. They will join a few million before them in providing personal information including their names, ID numbers, cell phone numbers, and medical aid numbers if applicable. 

Prompted through a user-friendly, web-based platform, they will upload this data with a vision of getting a vaccine and thereby both protecting their own health and contributing to the fight against Covid-19. Without looking closely at the EVDS’ terms and conditions, however, few of these users know where their data is being housed, what safeguards protect it, and who is responsible for the programming, design and management of the EVDS. 

“We live in a time where cybercrime is prominent globally. The kind of info that is collected on the EVDS, if it falls into the wrong hands, could potentially cause a lot of damage,” says Darelle van Greunen, director of the Centre for Community Technologies (CCT) at Nelson Mandela University. Among these risks are identity theft and ransomware attacks, the latter of which may require the Department of Health to pay cybercriminals in order to recover stolen EVDS user data.

Alongside cyber risks are issues around EVDS user consent and its security policies. As the Protection of Personal Information Act (Popia) comes into force and digital policies evolve, some feel transparency around the system could shift focus from criticism to pride in what the EVDS can accomplish.

A complex system

“There are thousands of people working very hard under difficult circumstances to make this system work,” says Nicholas Crisp, deputy director-general in the National Department of Health, who oversees the EVDS.

It is a complex system, he says, that involves a public-facing registration portal and SMS communications. It also keeps track of the vaccination process, including vaccines stocks, the individual lot and batch number of vaccines given, and any adverse events reported. It also tracks whether vaccinations are paid for by the state or by private medical aid.

Throughout these processes, a team of Department of Health staff, private service providers and healthcare workers on the ground interact with user data, identify bugs and answer queries. 

Among them is Mezzanine, a digital technology company and subsidiary of the Vodacom Group. Mezzanine manages EVDS programme updates and adaptations arising from real-time usage and from new cohort additions.

“The team doing the programming work is working to fix bugs and answer queries,” says Crisp. “When we’re going live with registration, they’re prepared and doing test runs behind the scenes to ensure there are no data problems.”

Crisp says Mezzanine was contracted for the work under the National Treasury Vodacom RT15-2016 Transversal contract.

Mezzanine’s work is supplemented by a team at the Council for Scientific and Industrial Research (CSIR), which manages EVDS data at its in-house facility. Crisp says that the partnership was established through a memorandum of understanding between CSIR and the Department of Health. 

Both CSIR and Mezzanine declined to comment for this article, referring queries to the Department of Health.

Supporting the NHI

The Department of Health is responsible for SMS delivery and acts as the owner of all data and components of the EVDS. “We use the NHI’s data centre at CSIR, and all programming hardware and software belongs to the NHI,” says Crisp. 

According to him, the EVDS was only possible thanks to the development of the NHI digital backbone over the past five years. Indeed, the service links with the NHI to support government’s larger aims of advancing universal health coverage. 

Speaking at the EVDS launch, Health Minister Dr Zweli Mkhize (currently on special leave), said it would support “systems for identity verification of users of the health system (both those in public and in private), expanding the capabilities of the Health Patient Registration System (HPRS) platform”.

The HPRS, initiated in 2014 by the Department of Health, is an electronic system to register all patients using health facilities. By collecting personal data similar to that captured by the EVDS, it makes it possible to track patients for improving quality and continuity of care, said a report.

“What we’re learning in the EVDS process is more information about patient records and how to improve our master list of healthcare facilities across the country,” says Crisp.

With the implementation of Popia on 1 July, Van Greunen says this linkage raises questions around consent. “With Popia, you need to be informed immediately about what your data is being collected for and what processes are in place to protect your data,” she says.

Because there is so little up-front detail with EVDS, for example, on its homepage, she says, “you don’t know what you are consenting to and who has access to your data.”

Thus, even though Mkhize has publicly stated that the EVDS may be used to expand the capabilities of the HPRS, it is possible that some people who register on the EVDS are nevertheless unaware that the data they provide might be linked to the HPRS and be helping to build the data infrastructure for NHI.

Popia compliant

EVDS complies with all requirements and safeguards of Popia, says Crisp. He also confirms several safety measures are in place such as firewalls, blockchain security and physical security of the data centre. The EVDS is also regularly audited by the Auditor-General of South Africa (AGSA).

“I’m comfortable that it’s secure, and I know the Auditor-General is comfortable that it’s secure,” Crisp says. 

According to the AGSA, the findings of their audit will be released when it tables its 2020-21 consolidated general report on national and provincial (PFMA) audit outcomes next year. 

But even the best security has vulnerabilities. 

Global rankings place South Africa 59th among 182 countries for cybersecurity, and in eighth place on the continent. Among the risks faced are ransomware attacks, which can cost many millions.

“Since the start of the pandemic, we’ve seen more ransomware attacks, which is a worrying aspect for the EVDS,” says Brett van Niekerk from the School of Mathematics, Statistics and Computer Science at the University of KwaZulu-Natal.

Ransomware often involves a cyber-criminal holding data hostage until a ransom is paid. If the ransom is not paid, the data remains unavailable. “Because EVDS manages all vaccine information, the government might be likely to pay out in a ransomware attack,” he says.

However, the risk of cyber-criminals stealing user data from the EVDS may be low. “I struggle to see any direct usability of the data that would warrant criticism from the security community,” he says.

The right direction

That wasn’t the case with the government’s originally proposed Covid-19 track and trace system. The system would have used location data supplied from mobile networks.

Concerns were raised almost immediately, however, because “location data can be used to create very detailed and invasive records of a person’s movements, public and private activities, and personal contacts,” a report from the Media Policy and Democracy Project showed.

Government ultimately abandoned the initial track and trace approach, but the report said policy developed around it “represented a step forward in how the South African state thinks about policy safeguards”. Since then, government has implemented an alternative track and trace system that does not make use of location data and that includes stronger privacy safeguards.

Van Greunen, who consults with the Department of Health on various ICT projects in the Eastern Cape, is confident they are taking the matter of security seriously. Still, she says there is a lot at stake to getting the EVDS right.

“As much as security is of the highest priority, we are needing to create a balance in terms of serving a massive humanitarian need and getting as many people registered as possible,” she says. “If they don’t get it right, we lose the willingness to register, the willingness to go for vaccines and the whole fight against the pandemic is probably at stake.” DM/MC

*This article was produced by Spotlight – health journalism in the public interest.