Canadian privacy commissioners urge caution on COVID-19 tracing apps

With federal, provincial and territorial leaders discussing a national approach to COVID-19 tracking apps, privacy commissioners across the country have issued a joint statement urging governments to follow at least nine principles.

One is signing “strong contractual measures with developers” before approving an app that ensure that non-authorized parties can’t access collected data, and that data will not be used for any purpose other than its intended public health purpose.

Personal information should not be accessible or compellable by service providers or other organizations, the commissioners add.

Already one consumer group, the Public Interest Advocacy Centre (PIAC) wants to go before the Canadian Radio-television and Telecommunications Commission (CRTC) to get the telecom regulator to oversee pandemic contact-tracing apps and network services that may be offered for Canadians to download to their smartphones.

Privacy Commissioner of Canada Daniel Therrien says technology can be part of the solution to address the COVID-19 pandemic and notes that the health crisis calls for a flexible and contextual application of privacy laws. “If done properly, tracing applications can achieve both privacy and public health goals at the same time. Everything hinges on design, and appropriate design depends on respect for certain key privacy principles.”

The statement comes as Australia considers amending its national privacy legislation to provide for a five-year prison term for anyone who uses data captured by its COVID-19 app for anything other than approved purposes.

Meanwhile, Alberta has become the first jurisdiction to release a COVID-19 app.

Ontario Premier Doug Ford has promised to raise the issue of having a national approach to a tracing app at today’s meeting of the federal, provincial and territorial leaders. They have been considering about a dozen apps for approval.

Related:

• Privacy experts agree with call for national app plan

Tracking apps are aimed at helping staff at provincial and territorial health authorities trace people who have tested positive for the coronavirus by using mobile apps. Most released or proposed apps use Bluetooth “handshakes” with very nearby devices to compile an encrypted list of devices. If a user tests positive the list on their device can be uploaded to a health authority who can decrypt the list to contact and warn people to watch their symptoms and/or get tested.

But, the privacy commissioners say, the applications raise important privacy risks. “While applicable [Canadian] privacy laws must be observed, some of them do not provide an effective level of protection suited to the digital environment.”

The nine principles are:

• Consent and trust:  The use of apps must be voluntary. This will be indispensable to building public trust. Trust will also require that governments demonstrate a high level of transparency and accountability.
• Legal authority: The proposed measures must have a clear legal basis and consent must be meaningful. Separate consent must be provided for all specific public health purposes intended. Personal information should not be accessible or compellable by service providers or other organizations.
• Necessity and Proportionality: Measures must be necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective. To assist in determining whether the measure in question is justifiable in the circumstances, governments should consider the following:
  • Necessity: the public health purpose or purposes underlying a measure must be evidence-based and defined with some specificity. Is the purpose to notify users and advise them to take certain actions? Is it to assist public health authorities to better understand local conditions for resource allocation purposes? Is it for another purpose?
  • Proportionality: the measure should be carefully tailored in a way that is rationally connected to the specific purpose(s) to be achieved,
  • Effectiveness: the measure must be likely to be effective at achieving the defined purpose(s), and,
  • Minimal intrusiveness: while the least intrusive option for the intended purpose should be chosen, and data minimization should be applied, where that cannot be achieved or demonstrated, governments should clearly communicate the rationale for the level of personal information that they need to collect.
• Purpose Limitation: Personal information must be used for its intended public health purpose, and for no other purpose.
• De-identification: De-identified or aggregated data should be used whenever possible unless it will not achieve the defined purpose. Consideration should be given to the risk of re-identification, which can be heightened in the case of location data.
• Time-Limitation: Exceptional measures should be time-limited: any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.
• Transparency: The government should be clear about the basis and the terms applicable to exceptional measures. Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed.  Privacy Impact Assessments (PIAs) or meaningful privacy analysis should be completed, reviewed by Privacy Commissioners, and a plain-language summary published proactively.
• Accountability: Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeline.  Oversight by an independent third-party – such as review and implementation monitoring by a privacy commissioner’s office – will help ensure accountability and reinforce public trust. While some privacy commissioners have the legal authority to conduct independent audits, it is encouraged that others be given this mandate by government through appropriate means. If the effectiveness of the application cannot be demonstrated, it should be decommissioned and any personal information collected should be destroyed.
• Safeguards: Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data and not to be used for any purpose other than its intended public health purpose. Authorities must ensure the public are aware of associated risks and threats (e.g. online fraud or malware).