Contact tracing apps have been identified as a potentially important part of the response to COVID-19 and are now being developed in many jurisdictions, through both public and private initiatives. For example, Singapore has already deployed a contact tracing app and Alberta Health Services is using a similar app, tweaked for their use. Likewise, it has been widely reported that Apple and Google are working together to develop a contact tracing app and the media has covered contact tracing apps in Canada as well (for instance, here, here, here and here). As Dr. Bonny Henry (BC’s chief medical officer) recently joked: “Everybody and their dog has an app out right now”.
These apps have raised concerns about the personal information that they may collect, raising questions as where and by whom such information is stored, for how long. This has led data protection authorities around the world to weigh in on whether and how these apps can or would comply with various privacy laws, including very detailed analyses by the United Kingdom’s Information Commissioner’s Officer. In some countries, new legislation has also been proposed to address data privacy issues raised by these apps.
In Canada, there is no national contact tracing app being developed. Instead, each province has been left to determine its own path forward. Alberta has been the first province to roll at a contact tracing app, with the support of that province’s privacy commissioner. The app, ABTraceTogether, uses “digital handshakes” to track contacts (see here). The app uses Bluetooth to maintain an anonymous log of encrypted personal identification numbers of app users that have come within 2 metres of the device on which the app is running. If the app user tests positive for COVID-19, the user is asked to volunteer to provide the information to the app, which would allow Alberta Health Services to use the information to contact others who have been in contact with that person (based on the app’s log). The app does not rely on GPS data and maintains the information for only 21 days.
Canadian Privacy Regulators – Principles of Contact Tracing Apps
In the face of these many and rapid developments (including prior statements by other regulators), on May 7, 2020, the Canadian federal, provincial and territorial privacy commissioners issued “Supporting public health, building public trust: Privacy principles for contact tracing and similar apps”, a joint statement on the privacy implications of contact tracing apps.
The joint statement recognizes that government and public heath authorities “are looking for ways to leverage personal information to contain and gain insights” about COVID 19 – without outright rejecting the idea of leveraging such information. But it notes that some of the measures being contemplated, and the decisions that are made about how to balance public health with privacy, which it calls a “fundamental Canadian value” “will shape the future of our country.” For those reasons, the joint statement “invites” the federal and provincial governments to respect the following 9 principles:
- Consent and trust: The statement provides that the use of any app must be voluntary. This was perhaps to be expected, as consent for the collection and use of personal information is generally the foundation of the privacy statutes across Canada. However, this suggests that the privacy commissioners do not at this time see the development and use of a contact tracing app as being permitted by any of the exceptions under such privacy statutes that would allow for collection or use without knowledge or consent, and would not expect governments to pass legislation to authorize such collection and use without consent. This principle is important in light of the public criticism about the effectiveness of voluntary apps both in Alberta and Singapore. For example, it is not clear that the app will be effective in Alberta, where users who have downloaded the app make up only 3% of the province’s population.
- Legal Authority: The proposed app “must have a clear legal basis and consent must be meaningful”. This also means that separate consent must be provided “for all specific public health purposes intended” and should not be “accessible or compellable by service providers or other organizations”.
- Necessity and Proportionality: The measures must also be “necessary and proportionate” meaning, they are: (i) science-based, (ii) necessary for a specific purpose – which must be defined with “some specificity”; and (iii) tailored to that purpose and likely to be effective – there must be a rational connection to the identified purpose. Only the information necessary to achieve those purposes should be collected.
- Purpose Limitation: “The personal information collected may not be used for any purpose other than the one for which it was intended.”
- De-identification: “De-identified or aggregate data should be used whenever possible.” The regulators have also asked that consider be given to the risk of re-identification.
- Time-Limitation: These measures must be time-limited:“Any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.”
- Transparency: “Government should be clear about the basis and the terms applicable to exceptional measures and Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed.” Further, the regulators have asked for privacy impact assessments to be completed and provided to them, as is being does in respect of Alberta’s app.
- Accountability: “Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeline.” The regulators have also proposed oversight by an independent third party as a way to achieve accountability.
- Safeguards: “Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data and not to be used for any purpose other than its intended public health purpose.”
These 9 principles generally track the consent requirements and privacy principles contained in both provincial and federal privacy legislation (for example, many of the principles track the Personal Information Protection and Electronic Documents Act (PIPEDA) principles, which include consent, accountability, and safeguards). These principles also track the principles set out in “A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19“, released by the Office of the Privacy Commissioner in April 2020.
However, in developing a tracing app, regard must be had to the applicable legislation and not solely the guidance outlined above. Which privacy statute is applicable will depend on which entity (public or private, federal or provincial) is collecting the information. For example, the federal Privacy Act would apply to Health Canada, while PIPEDA would apply where a private organization is collecting, using or disclosing personal information in the course of commercial activities (perhaps for employees). There are also various provincial statutes that may apply. Consequently, these principles will be applied to public and private entities differently. For example, it is not clear whether private-sector employers will be given the same latitude as public sector authorities with respect to the necessity and proportionality test.
Alberta as a Test Case
The Information and Privacy Commissioner of Alberta is reviewing a privacy impact assessment for the ABTraceTogether app that was recently launched in Alberta, and will provide recommendations directly to the Government of Alberta. It previously released a statement on May 1, 2020 in support of efforts by Alberta Health to use a contact tracing that was “less intrusive” than some others. It stated: “Ensuring this app is voluntary, collects minimal information, uses decentralized storage of de-identified Bluetooth contact logs, and allows individuals to control their use of the app are positive components.” The Information and Privacy Commissioner of Alberta said it had “received a privacy impact assessment on the app” and “sent questions to Alberta Health to clarify certain aspects of the PIA.” This included seeking confirmation that the data collected through this app is to be used for contact tracing, and not for any other purpose.
Looking Outside of Canada
The joint statement, as compared to other regulator statements, is short and high level, outlining the principles that should govern such app – perhaps because there is not a particular app being proposed in Canada at this time. One might expect a more detailed commentary from the Alberta privacy commissioner following its review of the privacy impact assessment of the Alberta app.
In the United Kingdom, on April 17, 2020, the Information Commissioner’s Officer (ICO) issued an opinion on the Apple and Google initiative, based on the information available to it at that time, and also released detailed expectations regarding the development of tracing apps more generally. Those expectations rely on similar principles to those set out above including: transparency (about the purpose of the app, design choices and benefits); minimizing the collection of information; protection of user information including through secure processes; and time limitation on the use of the information. The ICO goes further to outline best practices for (i) scope, requirements and design; (ii) development, deployment, onboarding and operation; and (iii) decommissioning.
Elsewhere, in Australia and United States, for example, legislation has been proposed to assist in regulating the collection of information through contact tracing apps (to address among other things consent issues, deletion rights and enforcement issues). And in Israel, the Supreme Court has ruled that the government there must pass legislation in order to regulate the collection and use of cell phone tracking information.
As governments look to reopen economies the conversation around the use of contact tracing apps will intensify. Canadian organizations should be aware of this recent announcement by the privacy commissioners and should also have regard to the specific statutes that may apply to them. It is helpful to also review more detailed guidance, such as that released by the UK’s ICO, in considering best practices for the development and use of the app. These activities may be affected by legislation passed to address these issues, although that does not appear imminent, and by privacy rights advocates who have expressed concern about such apps to at least one regulator.
Although these principles have been directed specifically at governments, businesses should also consider these principles as they may look to develop ways to implement contact tracing within their own workplace, particular as we start to return to work, including how to obtain consent, where and how data will be stored, and for how long.
For more information about Denton’s data expertise and how we can help your business manage privacy and information during the COVID-19 pandemic, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.