Published on Wednesday, May 13, 2020 - 12:25 by Martin Fletcher
What a difference a few months makes. At the time the first cases of Covid – 19 were being identified by the World Health Organisation, I was crammed into a small bar in London ringing in the New Year with more people than I have seen in one place since around early March.
Four months down the line and governments across the world are scrambling to contain the most widespread pandemic of the modern era. When we are able to look back on all of this, the responses of different countries will provide a treasure trove of case studies as to how we handle these events in the future. They are also providing us with a demonstration of what restrictions and observation people are willing to submit to in the name of the common good.
For us privacy junkies, one of the most interesting developments has been the ongoing roll out of contact tracing technology. This has taken the form of mobile phone Apps which can alert individuals if they have come into contact with an infected individual, so that they will then know to self-isolate in order to avoid passing the infection on to others. The technology is already being used in Singapore and Israel, with development also taking place in the Czech Republic and Norway.
In the UK and the EU, privacy regulators have treated development of these applications with cautious optimism. The Information Commissioners Office have been providing support to the NHS in the development of a contact tracing solution NHSX, as part of this Elizabeth Denham has outlined questions that any data controller will need to be able to answer before proceeding. Similarly, the European Data Protection Board has stated:
“Automated data processing and digital technologies can be key components in the fight against COVID-19. However, one should be wary of the “ratchet effect”. It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.”
So while there is an understanding among privacy specialists about the role this technology can play in a wider strategy to contain the virus, there are also warnings about the limits of the technology and ensuring that the processing is conducted securely and is not open to abuse.
One of the most recent countries to get in on the act is Australia, which is launching an App called COVIDSafe. The government in Canberra have released a Privacy Impact Assessment (PIA) for us to pore over. The document opens with an overview of the purpose of the Australian Government’s strategy, in which COVIDSafe would be playing a role. The purposes of the strategy are:
These aims reflect the strategies of most developed countries to the pandemic. So, I’m going to have a look through each of these points and identify questions governments will need to address to ensure the technology is used effectively and responsibly.
The common understanding is that contact tracing Apps will play a key role in limiting the spread of the virus. This is done by firstly encouraging the population to download the application, and then by ensuring that they self-report when they have been diagnosed with the illness.
While take up of the App will be encouraged by the government, Australia has already committed to ensuring there will be no coercion and people who refuse to use the App will not face discrimination. Similar statements have also been made by the ICO and the EDPB on any future App rollout in the UK and EU.
The Australian government has a target of getting 40% of the population to download the App. However in order to be effective a study by Oxford University has suggested that a 60% take up rate should be considered the minimum. Not reaching a sufficient level of penetration will mean that the Application is not able to trace contacts effectively and could even lead to a false sense of security among those who have downloaded it. In the UK, 80% of adults have a smart phone, meaning that you would need 75% of those individuals to download the application for it to be effective. Coupled with this is the fact that smart phones are not evenly distributed through the population. Smart phone ownership, whilst widespread, still skews somewhat towards younger, wealthier individuals.
Apple do not release figures on App downloads, however for Android the two most popular Apps are Facebook (74% penetration) and WhatsApp (71% penetration). So, even the most ubiquitous of mobile Apps would not quite scrape into the level of penetration deemed necessary for contact tracing to meet this first goal. Considering the high targets required for the App to be successful, a further question that could be asked is whether data should be deleted if a minimum floor is not met? For example15% of the population after 6 weeks. A DPIA ought to consider this as below a certain take up level there will only be a trace benefit to people that does not justify the intrusion.
In Singapore, one of the few advanced economies currently using contact tracing apps, 1 in 6 smartphone users has downloaded the App. Given Singapore’s history and tolerance of more intrusive observation in the name of the common good, it seems unlikely that Australia, the UK or the EU would be able to improve on this penetration rate. Any Privacy Impact Assessment will need to be able to demonstrate a public benefit that can arise from this level or take up by the population.
A benefit of contact tracing Apps could be in alerting individuals in vulnerable groups that they have potentially been infected and should seek treatment. By getting these individuals on the radar of the health service early, it may be possible to provide a better care and reduce the mortality rate of the virus.
There are various groups more likely to be at risk of severe harm from the virus, including obese individuals, smokers and those on certain immune-suppressant drugs. However, by a considerable margin, the largest vulnerable group in any developed nation is the elderly. Statistics show that the older an individual is, the more likely they are to become seriously ill or die with Covid - 19. However in the most vulnerable group of over 65s only 40% in the UK have access to a smartphone.
Given the above point on the level of uptake required to make these applications effective, it is unlikely that a contact tracing application on its own will be effective in managing spread of the virus among the most vulnerable.
The ICO has previously commented on the value of using data for trend analysis:
“Generalised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified.
In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place.
The ICO has provided advice about how data protection law can continue to apply flexibly to protect lives and data. The safety and security of the public remains our primary concern. We will continue to work alongside Government to provide advice about the application of data protection law during these unprecedented times.”
By being able to track infection rates across different regions, the health sector has access to a wealth of information that can be used to allocate resources effectively. However, as mentioned in the above statement, it is not necessary to process any identifiable information to achieve this purpose.
This objective is a little vaguer than the first three, the emphasis of it appears to be on providing individuals with sufficient information to make decisions regarding their health and their level of risk exposure.
The PIA produced does not address this point specifically, as it focusses more on the privacy risks involved in the data processing rather than what decisions individual citizens make based on the information they are provided with. In the coming months, helping people make informed decisions about their own level of risk appetite regarding infection could be valuable. However currently one third of the world’s population is under some form of mandatory lockdown, including Australia.
The case for mandatory lockdowns has already been clearly made and accepted by most people as a necessary restriction on freedom. Under such a situation, it is questionable whether it is desirable or even possible for individuals to make decisions about their personal exposure to infection risk. So, while a time will come where this information will be useful for people, it is doubtful that we will be there by the time these Apps go live.
The key point of any DPIA is to assess whether the purpose of the processing justifies the impact on privacy. The emphasis in most developed countries on avoiding coercion and discrimination against those who refuse to download a contact tracing App means that ultimately this may be a decision individuals will need to come to themselves. These decisions will be influenced by the message governments and application developers give about the purposes for processing.
If the aim is to save lives and reduce infections, then advocates for the technology will need to show how it will be combined with other controls. As on its own the Apps are unlikely to have a major effect unless there is an unprecedented degree of take up.
Whereas if the message to the public is that the Apps will help with resource distribution during the crisis, then governments will need to demonstrate the benefit of holding personally identifiable information above and beyond what can be done with anonymised data.
As time goes by and freedoms are gradually returned, the message could turn towards providing people with information needed to make risk decisions for themselves. While it is important for governments to address privacy issues relating to this, it is unlikely to be the main purpose of the Apps for at least a several months.
These applications will stand or fall on the level of trust governments can instil in their population regarding both their effectiveness and the security and responsibility of the data processing. It will be important for regulators and other privacy experts to continue challenging decisions that are made and supporting data controllers to ensure fair and compliant processing.
Back when we were mumbling our way through Auld Lang Syne, few of us could have foreseen where we would be today. The role of regulators and experts will be key in determining what data processors can justify doing when we get out of the other end of this. We’re all going to have to walk a fine line between the public good and unnecessary intrusion.
If you need a hand securing your remote working processes during COVID-19, we can help. Click here to find out more.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: