ICO’s privacy considerations for COVID-19 related data processing and Google-Apple joint contact tracing technology outlined by the Information Commissioner, Elizabeth Denham.
The ICO’s privacy considerations for COVID-19 were recently mapped out in a recent blog by the Information Commissioner, Elizabeth Denham, some weeks after their original statement on Coronavirus was released. While the ICO clarified in their initial statement that data protection laws do not get in the way of the use of innovation in a public health crisis, the legal principles of transparency, fairness and proportionality remain relevant. Last week on our blog,we reported that the ICO released a statement on their approach to regulation during the coronavirus pandemic . This week, the ICO has provided us with some more clarity in the face of emerging technology to be used to combat the spread of the virus, specifically geared towards parties who use or intend to use these technologies. This framework is specific and covers a few key aspects of privacy to be met by any initiative, technology or company wishing to gather public data for the sake of fighting this global pandemic, in order to maintain both the trust of the public, and their social license.
The ICO’s Privacy Considerations for COVID-19 related Data Processing.
Through the use of a quick Q and A in the recently released blog, the Information Commissioner has outlined her framework for new technologies to ensure that the privacy implications are properly considered. She states that a privacy impact assessment is required, at the very least, to demonstrate how privacy is built into the processor technology. The planned collection and use of personal data must be necessary and proportionate, even while we as a society accept a few limitations on liberty for the protection of public health. App developers are expected to provide users with clear information on how their information was being used, and any applicable options for avoiding processing. Data minimisation continues to be paramount and there should be ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective. The commissioner also noted in her blog that privacy assessments should be revisited and updated when possible.
ICO also published a formal opinion on privacy considerations of Google and Apple’s joint technology.
As it relates to the contact tracing technology introduced by Google and Apple in a joint venture earlier this month, The ICO has published a formal opinion speaking specifically to the privacy considerations of this technology. This joint initiative is “‘a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing”, and will utilize apps from public health authorities. In this document outlining the ICO’s formal opinion, the Information Commissioner notes a few key features of this initiative which are paramount to maintaining safe data processing and privacy. The contact tracing framework (CTF) appears to comply with the principle of data minimisation, by not including personal data, or using location data. So far, all CTF proposals appear to be voluntary, and any post-diagnosis upload of stored tokens to the app developer require separate permissions. In addition users also have the option of disabling Bluetooth on their device, which is the technology used by these apps. They also have the options of disabling or deleting the app altogether. There seems to be several security measures in place for the exchange
of information between devices and the upload of information to the app with the CTF.
The commissioner also noted in this document, that this CTF technology shows signs of possible evolution beyond its current state and use, and must be mindful of the risks of development beyond the stated purpose of contact tracing for COVID-19 pandemic response
efforts. Purpose Limitation is a core principle of data protection on an international scale and as such the Information Commissioner will be keeping a close eye on this framework making sure that it does not fall victim to the phenomenon known as “scope creep”.
According to Cristina Contero Almagro, partner at Aphaia, “these apps should be especially careful with data breaches, as data subjects may be potentially identifiable by matching the encrypted codes with their IP addresses, which are personal data that may be stored in the server”.