A statement by the Global Privacy Assembly’s Executive Committee.
Data protection and privacy authorities around the world are working together with public bodies and commercial organisations to respond to and manage the global COVID-19 pandemic. Our March 17, 2020 statement observed that GPA member authorities operate under data protection and privacy laws that enable the use of data to protect public health, while also protecting the public’s personal data in a way that the public expects.
GPA authorities are working to assist public bodies and organisations to understand what good practice looks like in a pandemic. We are therefore encouraged to hear that many member authorities have, since our March statement, been engaged by organisations and public bodies in a common effort to overcome COVID-19. This acknowledges the need to work constructively to ensure privacy is protected as we seek solutions to this public health crisis.
COVID-19 contact tracing and public trust
Many authorities are at this time advising, reviewing and consulting on contact tracing measures. The issues being considered around the world are similar and revolve around universal data protection and privacy principles.
Contact tracing has historically been a vital pandemic response tool. Many governments around the world wish to harness technology to automate traditional contact tracing methods, which may be labour-intensive. Smart phone contact tracing apps are therefore being designed and rolled out globally.
We are issuing this statement about contact tracing measures being implemented around the globe because we recognise that public trust and confidence in the way personal information is handled and protected is a necessary precondition for their success. Whilst the public interest case is strong, protecting privacy and acting in accordance with public expectations is part of achieving the solution.
The success of contact tracing apps will depend on the trust of individual members of the public that their privacy will be protected appropriately and wider ethical considerations have been addressed. Uptake may be higher if governments and organisations transparently demonstrate that privacy risks have been adequately addressed. Authorities are playing their part in achieving fit-for purpose privacy protections, and wherever possible are prioritising consultation requests about COVID-related measures.
Privacy considerations in contact tracing design, implementation and operation
The value of privacy by design lies in ensuring privacy is carefully considered when developing new technologies in the interests of protecting public health. The data and privacy protection work of GPA authorities not stand in the way of innovation, rather privacy by design is a key enabler for both ethical and lawful innovation and the protection of personal data.
Privacy and data protection impact assessments (DPIAs) help ensure public bodies and organisations take a privacy by design approach by documenting in advance what their intended use of data is and how this can inform limitation in data collection, identifying the risks that their use of data could create, and developing strategies to mitigate those risks to inform the design. In conducting this impact assessment, organisations may need to consult and engage with their intended user base and with regulators. DPIAs should also be clear about other possible current and future uses of the data, such as for research in the public interest. A DPIA can also be iterative, updated as needed, and provide opportunities for further engagement and public debate when it is made available for wider scrutiny.
In the current circumstances of the pandemic, measures are being developed as a direct response to these extraordinary circumstances. Time limitation is therefore also critical in establishing public trust in these responsive measures.
The following questions are addressed to organisations and governments engaged in contact tracing measures and can inform the development of contact tracing apps to ensure personal information is protected and the impact on privacy is minimised:
- Have you adopted a privacy by design approach?
- Have you conducted an assessment of the privacy risks? Is this assessment up to date?
- Have you addressed the security, safeguards, and necessity of both centralised and decentralised models?
- Have you had open and constructive engagement with your data protection authority?
- Are you being transparent with users, including providing a clear privacy statement or notice where required by law?
- Are you being transparent in a way that facilitates public debate?
- Is your contact tracing app temporary and will data be deleted when no longer required?
- Do you intend to retain data for research in the public interest? If so, what privacy protections have been adopted and is anonymisation envisaged at design stage?
- Do you have a process in place to revisit privacy implications if features are proposed to change?
Looking ahead to other COVID-19 measures and privacy
Some governments around the world are contemplating other pandemic responses involving personal information such as immunity passports, temperature checks and customer identification requirements. The principles set out in this statement also apply to these and other measures that may be considered, and further clarifying statements on those measures will be issued as required. The GPA will continue to listen to concerns from its member authorities to ensure our efforts address the most pressing issues being brought to the attention of GPA authorities by those working on COVID-19 measures.
– GPA Executive Committee
For more information and resources visit the GPA COVID-19 Response Repository.