Covid-19 Contact tracing: Data Protection expectations on app development
The Health Service Executive (HSE) plans to release its contact tracing app to help identify close contacts of a confirmed case of COVID-19 by the end of May. The technology is seen as a useful supplement to manual tracing of contacts of a confirmed case who may become infected.
At present we understand from media reports that:
- the app is to follow the German model in which all the information is stored on the device itself rather than on a government database to mitigate data protection concerns.
- The app is planned to only be available on smartphones and will use Bluetooth technology to augment the tracing process.
- Prototype testing is planned with an initial soft launch similar to the UK who are using the Isle of Wight as a testing base.
- Use of the app will be limited to people aged 16 years or over as this is the digital age of consent.
- Clearly the use of the app cross- border will pose specific challenges.
- It is understood it will be based on an “opt in “system.
We believe the Irish app project team is developing a Data Protection Impact Assessment (DPIA) which will be sent to the Data Protection Commissioner. Paul Reid Chief Executive of the HSE is reported as stating: “We want to set out in the DPIA how we will mitigate any risks or concerns that may be in relation to Data Protection issues”. Simon Harris Minister for Health has been quoted in the press as stating “While the app will not record or collect exact location information, users would have the option of volunteering their general locality”.
While we await further details, concerns have been voiced by some commentators who said the HSE has not provided any detailed information about what the app is supposed to do or how it is supposed to do it and have asked that the source code and a DPIA be shared before the app goes live, but we understand the HSE has said it only intends to do so after launch.
We note that the European Data Protection Board published guidelines on 21 April on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (the Guidelines) which we assume will be taken into account by the Data Protection Commissioner in their review of the DPIA. In summary the Guidelines wish to ensure that any measures taken are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation. The Guidelines require the responsible use of personal data for health management purposes while seeking to ensure individual rights and freedoms are not eroded in the process.
The Information Commissioners Office (ICO) in the UK has also recently published its data protection expectations of COVID-19 contact tracing app development which serve as a useful guide on how contact tracing can be developed in line with the principles of data protection by design and default.
The ICO consider a DPIA is required and may need to be revisited over time. Its main expectations require the principles outlined below to be followed through the lifecycle of the contact tracing app:
1.Be transparent about the purpose
2.Be transparent about your design choice
3.Be transparent about the benefits
4.Collect the minimum of personal data necessary
5.Protect your users
6.Give users control
7.Keep data for the minimum amount of time and where appropriate ensure the user has control over this
8.Securely process the data
9.Ensure the user can opt in or opt out without any negative consequences
10.Strenghten privacy, don’t weaken it.
In addition to the above the ICO has published detailed best practice recommendations which are grouped under lifecycle development and translate the requirements of data protection law at:
– first, scope, requirements and design phase so they track ideation;
– next at development, deployment, onboarding and operating phase so they track operation/functionality
– finally, at decommissioning of the service.
Some jurisdictions are recommending sunset clauses at the decommissioning phase to alleviate data protection concerns about data collected. The contract tracing app raises a myriad of privacy concerns but a pragmatic and proportionate regulator can work with the Irish project team to address the challenges of supporting citizens in responding to this crisis. The Irish project team developing the app with the assistance of the large tech companies will need to build data protection by design and default into their services if the DPIA is the pass muster with the Data Protection Commissioner. If the HSE is to reach its 25 per cent uptake of the app in order for it to be effective , the app must provide citizens with confidence their privacy rights are protected in a time of great uncertainty.