New technology is always going to prompt questions about privacy for users. Free app users get so used to the convenience, and they eventually forget hidden cost. They might be sacrificing their privacy. When it comes to COVID-19, a contact tracing app could be an important tool for tracking the spread of the virus.
But how should its design be approached? Especially when the concern is immediate? No one could have anticipated the scale at which COVID-19 has impacted our world. However, the GDPR’s principles would ensure to everyone a trustable and worthy technology.
The GDPR’s principles define acceptable practices for both the collection and organisation of personal data. Such as
For a contact tracing app, this foundation can serve as a blueprint for the app’s architecture and how its anonymised data will be processed. As people contract the virus and recover, GDPR can also govern how different cases will be processed.
Coronavirus has been so all-encompassing in part because we simply don’t understand it. Why people’s reactions are different, is still a mystery to scientists. The more data we have the more this veil is lifted through the analysis of transmission patterns. GDPR can be used to think about how the data should be catalogued, stored, and deleted.
Obviously, Personally Identifiable Information (P.I.I) will need technically to be secured with access controls and encryption protocols. But individuals should be able to access and request modifications to their own data if need be. As time goes by, individuals should have the opportunity to update their information to account for the quality and integrity of the information on file.
Different third parties beyond the app’s developers – e.g., engineers, government officials, healthcare professionals, etc. – will need to considered. How data is shared and accessed by them. What are the controls in place in the event that a compromised external processor?
Contact tracing should limit P.I.I, ensuring contacts of an infected party are only told how long they were exposed and where it occurred. South Korea is already seeing problems with their alerts about too much shared information. People are searching anonymised case file numbers online and piecing together information based on the user’s whereabouts.
To comply with GDPR, information must be obtained fairly, and the individual must know how their medical and personal information is going to be used.
The healthcare industry is segregated. The contact tracing can be an effective way to consolidate data for a more comprehensive understanding of how certain conditions impact one another. It’s easy to see why researchers might want to understand how coronavirus impacts other diseases from diabetes to heart conditions.
But with GDPR, personal information should only be collected for a specific purpose. In this case, to slow the spread of coronavirus. If researchers want to use the data for anything else, data should be anonymised, or they should have built in a process to get the additional consent they would require to use the data in other ways.
Data minimisation is collecting and processing only needed data to achieve the goal of the technology. A Covid-19 tracing application would only need to know whether someone contracted the virus. And where they’ve been during a certain time frame prior to contracting it (as opposed to their entire medical history or identity).
Inaccurate data renders many applications useless. A contact tracing app could wind up being useless to both users and analysers alike if data is inaccurate. With GDPR, the rules are to collect accurate data and to continue updating as needed to reduce the risk to the individual. Building checks and controls into the app so stakeholders, whether the individuals whose personal data is being processed or the testing facilities can rectify any inaccuracies will be key to its success.
If data is wrong or outdated, it needs to be either updated or erased. This can help control the spread of misinformation and give all users a sense of trust in the received alerts.
The processing purpose is the driving factor behind storage limitation. Personal data should not be retained beyond the time frame required by researchers. However, in the case of coronavirus, storage limitation may be tricky. The value of the data for research will remain years after the value to the individuals who were using the app to reduce their likelihood of being infected by Covid-19.
To define adequate retention periods, the goal must be clear. If the contact tracing is used to reduce the spread of Covid-19, should the data be only stored a couple of weeks? Should it only be deleted once 70% immunity has been reached? Can it be held indefinitely for research purposes if it’s anonymised and if so at what point does that occur?
The GDPR does allow a retention exemption. Information can be kept for either scientific or archiving purposes if it’s in the public’s best interest. It’s easy to see how this could be the case for this Covid-19 data.
Personal information is meant to be kept away from any internal or external unauthorised use. This means both intentional crime as well as accidental loss or damage. Security experts will need to thoroughly review the app to ensure existing logical and physical security controls. Contact tracing data should be thoroughly encrypted at all points with access controls to limit access to only authorised parties.
A legal framework, like the GDPR, ensures that individuals can use the judicial system to protect their rights. All stakeholders in a tracing application, including governments, should be accountable. The organisation involved need to know that the supervisory authorities will be monitoring how they’re using the data.
As we consider how technology might help us in our battle against Covid-19, we need to consider how a personal data compiled by a tracing app could affect our privacy. While trading some privacy for health reasons may be easy trade-off to make, we need to be careful not to sign off on invasive technology. It can’t be the slippery slope leading to an Orwellian future.
The EU’s GDPR was put in place for exactly these kinds of situations. It helps individuals and companies to deliver technology solutions while considering data protection and privacy by applying a set of standards. Those standards are for how personal data is collected, used, stored, and eventually deleted. What a given technology is doing with personal data should be transparent. When individuals install an app, they should know the effects on their data. How their data will be used? How long their data will be used? Finally they should know when their data will be deleted for good. If their information is used for unintended purposes, or if it’s compromised due to a lack of safeguards, recourse should be available.
Privacy and the personal data usage by organisation will continue to be a hot topic. GDPR principles may not solve for every problem. But it does give us a reliable framework. A referenced framework to solve all kinds of practical problems. PrivIQ can help your organisation to consider data protection compliance measures.