Data Protection Law
Contact tracing apps are being developed by governments and private enterprises to fight COVID-19. Their design and use however raise serious privacy concerns.
How do contact tracing apps work?
Contact tracing apps are mobile software applications designed to help identify individuals who may have been in contact with another person.
In the context of COVID-19 this means that anyone with the app who has been diagnosed with the virus or has self-diagnosed can enter that information into the app. Then, via the use of Bluetooth, anyone who has come, or comes, into contact with that diagnosed or self-diagnosed person will be notified by the app. If you are notified of such contact then you can take steps to self-quarantine or otherwise manage your exposure. This all relies upon individuals carrying their mobile phones at all times with Bluetooth activated which has cast doubt on their potential effectiveness.
Why adopt contact tracing apps?
By tracing the contacts of infected individuals, testing them for infection, treating the infected and tracing their contacts in turn, public health authorities aim to reduce infections in the population. Diseases for which contact tracing is commonly performed include tuberculosis, vaccine-preventable infections like measles, sexually transmitted infections (including HIV), blood-borne infections, some serious bacterial infections, and novel infections (e.g. coronavirus).
Privacy issues with contact tracing apps
Numerous applications are in development, with official government support in some territories and jurisdictions. Several frameworks for building contact tracing apps have been developed. Privacy concerns have been raised, especially about systems that are based on tracking the geographical location of app users.
Less intrusive alternatives include the use of Bluetooth signals to log a user’s proximity to other mobile phones. On 10 April 2020, Google and Apple jointly announced that they would integrate functionality to support such Bluetooth-based apps directly into their Android and iOS operating systems.
These Bluetooth signals offer greater privacy protection because they operate on an anonymous basis. Therefore someone who comes into contact with an infected person will not have any information besides the fact that they have come into contact with an infected person. Rather than receiving any unnecessary information such as a unique identifying code or the name of the infected person.
The Information Commissioner (IC), Elizabeth Denham, has published a blog setting out data protection considerations for organisations using contact tracing and location data technologies in connection with the COVID-19 pandemic.
While the IC is maintaining a pragmatic and flexible approach to data protection compliance during the pandemic, the IC reminds organisations that the public must remain assured that their data will be processed lawfully in connection with the use of technology to track the spread of COVID-19 by individuals.
To help achieve the IC’s twin goals of maintaining public trust and promoting compliance, the blog includes a series of questions for organisations to bear in mind when using new technologies to combat the pandemic. It focusses on compliance with data protection requirements under Article 25 of the General Data Protection Regulation ((EU) 2016/679) (GDPR), the data minimisation and storage limitation principles under Article 5(1)and data subject rights generally under the GDPR.
The IC asks organisations to consider the following questions:
- Have you demonstrated how privacy is built into the processor technology?
- Is the planned collection and use of personal data necessary and proportionate?
- What control do users have over their data?
- How much data needs to be gathered and processed centrally?
- When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing, that is to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
- What happens when the processing is no longer necessary?
The IC extends an offer to assist organisations with these processes, by providing guidance and tools to consider data protection requirements in the planning and development phase for projects adopting new technology, and by performing an audit of the measures and processes implemented by an organisation when the project has become operational.
The Information Commissioner’s Office (ICO) has published a discussion document setting out its expectations and recommended best practice for the development and deployment of COVID-19 contact tracing apps.
The document was published in advance of Information Commissioner Elizabeth Denham’s and Executive Director of Technology and Innovation Simon McDougall’s appearance before the Human Rights Joint Committee on 4 May 2020 and is intended to help NHSX and other developers of contact tracing apps comply with information provision and data protection by default and design requirements under the GDPR.
Key principles and recommendations for developers to consider include
- Performing a Data Protection Impact Assessment (DPIA) prior to implementation of the app and refreshing the DPIA whenever the app is updated during its life cycle.
- Being transparent with users and providing them with clear information about the purpose and design choices for the app and the benefits the app seeks to deliver for both users and the NHS. Users must also be fully informed about the data to be processed by the app before the processing takes place.
- Complying with data minimisation, retention and security principles under Articles 5(1) and 32 of the GDPR.
- Ensuring participation is voluntary and users can opt in and out of participation and exercise their data subject rights (including rights of access, erasure, restriction and rectification) with ease. This could involve the developer providing users with a dedicated privacy control panel or dashboard.
- Relying on valid user consent or an alternative lawful basis under Article 6(1) of the GDPR for the processing of personal data where this is necessary and more appropriate, such as performance of a task in the public interest (particularly where an app is developed by or on behalf of a public health authority).
- The collection of personal data relating to health shall be allowed only where the processing is either based on explicit consent, is necessary for reasons of public interest in the area of public health, is for health care purposes, or is necessary for scientific research or statistical purposes.
The ICO will keep these recommendations under review and remains open to feedback.
What does this mean for businesses?
If contact tracing apps are designed in line with ICO guidance, businesses looking to monitor employees can have confidence in asking employees to use such apps. In all likelihood the NHSX app will be used in the UK and therefore businesses should be aware of how that app is being developed.
On 12 April 2020, Matthew Hancock, the Minister for Health and Social Care and the politician directly responsible for the NHS, announced that the NHS was developing a mobile app that will allow for contact tracing. The app is being developed by NHSX, a specialist unit responsible for digital transformation in the NHS.
In response to the Information Commissioner’s approach, NHSX has stated that they are prioritising security and privacy in all stages of the app’s design. They are planning to publish their security designs and the source code of the app to demonstrate this. Furthermore, they have confirmed that all data gathered by the app will only be used for NHS care, management, evaluation and research, and that individuals will be able to delete the app and their data at any point.
Two key constraints for contact tracing apps to be effective:
- 80 per cent or more of the UK population who own a smartphone need to download it; and
- the UK needs to test more than 100,000 people a day.
This is because contact tracing relies on large numbers of citizens being involved in the effort.
The UK Information Commissioner, Elizabeth Denham, has been supportive of the development of contact tracing apps. On 17 April she stated that “data protection laws [should] not get in the way of innovative use of data in a public health emergency – as long as the principles of the law (transparency, fairness and proportionality) are applied. The same approach applies to the use of contact tracing applications.”
Even though they are encouraged, organisations developing contact tracing apps and using them need to be conscious of the privacy issues.