Governments and public health authorities around the world have been working to find a solution to the question as to how to ease lockdown restrictions which have been introduced to slow the spread of the COVID-19 pandemic without overburdening their health systems.
Some governments have been thinking about or have already been gradually lifting lockdown restrictions using COVID-19 mobile tracing applications. COVID-19 tracing apps can play an important role in managing the transition from strict lockdowns because they can warn users of an increased risk due to their contact with a person who has tested positive for COVID-19 and ask them to self-isolate. The hope is that contact tracing apps will help interrupt infection chains and reduce the risk of further virus transmission. However, there are important data protection considerations associated with developing and using such apps because they depend on the collection, use and disclosure of a significant amount of personal data.
According to the World Health Organisation, contact tracing is “the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission”. In the early stages of a pandemic, contact tracing is usually a manual process when an infected individual shares a list of their social interactions with the epidemiology team who follow up with the individual’s contacts to assess symptoms and recommend self-isolation. However, manual contact tracing is very labour intensive and that is where app-based tracing might become helpful.
In the context of the COVID-19 pandemic, a contact tracing app might be able to slow the spread of the virus but it success depends not only on the technological solution adopted but also widespread adoption.
Different technological solutions have been considered when developing contact tracing technology. It is thought that the use of GPS signals, which provide the device’s geolocation information, is not suited to COVID-19 contact tracing because it cannot accurately determine close proximity of users. GPS-enabled smartphones are typically accurate to within a 4.9m radius under open sky but this is more than the 2m distance recommended by the UK Government for people to keep safe from the virus. Moreover, GPS data is geolocation data which users might be unwilling to share with the government or other users.
Currently, Bluetooth seems to be the preferred technological solution because it can monitor other phones in an area without tracking specific location of individuals. When users of a Bluetooth-based contact tracing app come close to each other, their apps can estimate the distance between them using Bluetooth signal strength and log the encounter with an identifier of the other user (which can change overtime to add an additional privacy protection).
However, Bluetooth also has several limitations. Firstly, Bluetooth might not be able to take into account the physical surroundings in which individuals are living in, for example whether users are wearing protective equipment or are separated by a wall, therefore likely leading to over-reporting. Secondly, the Bluetooth solution depends on the use of smartphones and specific apps which excludes people who do not own a smartphone or do not have the smartphone on them all the time. Over reliance on this type of technology may lead to certain sections of the population being unfairly adversely affected. Finally, even if a contact tracing app is used by high percentage of population, the technological solution adopted must work on devices with different hardware parameters (including different specifications of Bluetooth) and running different versions of software.
Several initiatives have been started to address some of these concerns. For example, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) aims to provide a technology and security framework that can be adopted by developers of contact tracing apps.
The use of contact tracing apps
In Singapore, the Government Technology Agency and Ministry of Health introduced the TraceTogether app. TraceTogether uses the Bluetooth Relative Signal Strength Indicator readings between devices across time to estimate the proximity and duration of an encounter between two users. This information is stored on the user’s phone for 21 days on a rolling basis and older information is deleted. If a user falls ill with COVID-19, the Ministry of Health can gain access to their TraceTogether data to map the user’s activity for contact tracing. TraceTogether does not gather the user’s location data.
Other governments, including that of Germany, France and the United Kingdom, have now announced they were working on developing contact tracing apps to detect possible chains of COVID-19 infections.
Developments in the UK
In the United Kingdom, it has been reported that NHSX, the innovation arm of the NHS, has been working on a Bluetooth-based app in collaboration with the academic and private sectors.
On 12 April, Matt Hancock, the UK Health Secretary, confirmed plans for NHSX to launch the app which will alert users who voluntary download the app if they have been in close proximity to someone who has also downloaded the app and is feeling unwell (yellow alert) or with a confirmed COVID-19 diagnosis (red alert). The Health Secretary said that the app involved collaboration with “the world’s leading tech companies”. The app is expected to be rolled out in the coming weeks.
While the exact technological solution of the NHSX app and its parameters are yet to be announced, there remain important data protection considerations associated with any contact tracing app. The amount and type of personal data that is potentially collected also increases cybersecurity risks.
Data protection considerations
- Architecture: What technology (e.g. Bluetooth / GPS) and security protocols will be adopted? How will the data be encrypted?
- Access to the data and purpose: Who will have access to the data collected (the government, health authorities, academia, police, private companies, other app users)? What can the data be used for by these parties?
- Categories of data collected: Will the app collect the user’s name and contact details, their geolocation data, whether they are showing symptoms and / or have been tested positive for COVID-19?
- Data retention: How long will the data be retained for? Will it be anonymised or deleted at the end of the COVID-19 pandemic?
- Data storage: Will the data be stored on the user’s smartphone or centrally?
- Legal basis: What will be the legal basis for processing the personal data? Will the app rely on user’s consent or use public interest as a basis for processing?
- Quality of data: Will the app notify other users only if the user tests positive or also if they self-report that they have been showing symptoms? How will the app ensure that users do not abuse the notification feature?
- Users: Will users be required to use the app or will it be voluntary? Will children be expected to use it as well?
Data protection regulators have been actively engaged in the debate to ensure that the different parties involved in developing contact tracing apps comply with data protection laws. The UK’s Information Commissioner’s Office (the “ICO”) has stressed that data protection legislation does not necessarily prevent organisations from taking the steps they need to in order to keep the public safe and supported during the present public health emergency. The ICO confirmed that it will continue to work alongside the Government to provide advice about the application of data protection law during these unprecedented times.
On 3 April 2020, the European Data Protection Board (the “EDPB”) announced that it will, as a priority, issue a detailed guidance on data processing in the fight against COVID-19 with a specific focus on geolocation and other tracing tools and processing health data for research purposes.
Similarly, the European Commission has introduced a “toolbox” which provides an EU-wide guidance for the use of mobile applications to combat and exit from the COVID-19 crisis.
Contact tracing apps are not a silver bullet that will end the COVID-19 pandemic. However, they might prove to be a useful tool for managing the health situation especially as lockdown restrictions are being relaxed.
The success of such apps will depend on widespread adoption by the population which will, in turn, depend on the trust that people have in the apps and how transparent they are about user privacy, including questions such as what data will be collected, for what purpose and who will be able to access it. As governments rush to deploy these apps, it will be important to get these data protection considerations right so that local social and cultural differences are respected when balancing surveillance with user privacy.