As Ottawa considers national measures including mobile contact tracing apps to help health authorities limit the spread of the COVID-19 virus, Canada’s privacy commissioner today issued guidance on how far it should go.
The crisis may prompt the federal government to consider “more extraordinary and less voluntary measures,” in collecting personal information and using big data, the document says in an introduction. But while laws including the federal Personal Information Protection and Electronic Documents Act (PIPEDA) can be applied flexibly and contextually, they must still apply.
“Our framework aims to focus on what we believe are the most relevant principles in context, without abandoning others,” Commissioner Daniel Therrien said in a statement. “Because privacy is a fundamental human right, it is very important in our democratic country based on the rule of law that key privacy principles continue to operate.”
Any measure has to comply with six guidelines:
- The proposed measures must have a clear legal basis;
- The measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specifically identified purpose;
- Purpose limitation: personal information must be used to protect public health and for no other purpose;
- Use de-identified or aggregated data whenever possible;
- Exceptional measures should be time-limited and data collected during this period should be destroyed when the crisis ends;
- Transparency and accountability: The government should be clear about the basis and the terms applicable to exceptional measures, and be accountable for them.
Meanwhile, on Thursday the European Union issued data protection and privacy guidelines software developers will have to follow if they want mobile contact tracing apps approved in the EU.
The proposed rules say apps:
- Should be implemented in close coordination with, and approved by, public health authorities;
- Should be installed voluntarily, and dismantled as soon as no longer needed;
- Should aim to exploit the latest privacy-enhancing technological solutions. Likely to be based on Bluetooth proximity technology, they do not enable tracking of people’s locations;
- Should be based on anonymized data: They can alert people who have been in proximity for a certain duration to an infected person to get tested or self-isolate, without revealing the identity of the people infected;
- Should be interoperable across the EU so that citizens are protected even when they cross borders;
- Should be anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity, and accessibility;
- Should be secure and effective.
Several Canadian privacy experts have expressed skepticism about the need for a mobile app, fearing it will be turned into a tool for government monitoring and surveillance. For example, Singapore’s app is voluntary but residents who test positive for the coronavirus are required by law to assist the health ministry in accurately mapping out their movements.
In Canada, privacy experts protested when regional police in Waterloo, Ont., were given permission to access a database of people who have the virus when questioning anyone. The police board says the confidential health information can only be used to protect frontline responders and the community. This follows a provincial policy on COVID-19 disclosure. Waterloo police say it will take the COVID-19 status information off police records within six months of the end of the state of emergency.
To meet those concerns some have proposed making adoption of apps voluntary, prompting critics to counter that low adoption will make the value of apps useless. To that app, proponents suggest that making a contact tracing app respect privacy rules and not collect data will make them more trustworthy and therefore likely to increase public adoption.
Many privacy experts also oppose contact tracing apps that would include GPS location tracking, which would give governments a history of almost precisely where people have been. In response, some jurisdictions (Singapore, for example) and developers (the Google/Apple partnership) have created apps or proposed apps that use Bluetooth to collect a list of anonymized data of mobile devices of people who have been nearby for the previous 14 days. If a person tests positive for the virus health authorities send an electronic warning notice to those on that person’s list.
Meanwhile, a Montreal startup is working on a contact tracing app using artificial intelligence to predict a person’s probability of having the disease based on contact history and medical information. One of the developers has outlined details here.
UPDATE: In an email a spokesperson for the federal privacy commissioner said his office has been discussing this proposed app with its developers and notes we find that several key privacy principles of the framework have already been adopted. In addition, the spokesperson noted the app would be based on consent and users would download it voluntarily. “A key consideration for us is that users understand that using the app is indeed voluntary.”
Another key consideration is whatever the solution it must get input from public health authorities, the spokesperson added.
Health experts say widespread adoption of a contact tracing app is vital for it to be worthwhile in supplementing the manual efforts of contact tracers. These are people who help track down those who have been in recent contact with those who have tested positive for the virus to urge them to be tested and self-isolate. Health authorities say nation-wide self-isolation rules can’t be eased without effective contact tracing. Otherwise, the number of those hit with the virus will leap as people go back to work.