Why Trust is just as important as Tech
In the fight against the COVID-19 pandemic, even the most libertarian among us might still consider whether encroaching on people’s freedoms can be justified as a means to curtail it. Privacy is one of those freedoms. The ability to use technology to locate, contact trace and get in touch with infected, or at-risk individuals in countries lauded with being able to more successfully manage the virus, arguably comes at the cost of our privacy rights as individuals.
Contact tracing apps can be a valuable tool for agencies and organisations to limit the spread of COVID-19. But the public health imperative should not give reason to throw out the privacy rule book. The success of a tracing app depends on as much of a population downloading the app as possible. If we’re to be convinced to voluntarily download this app we need to feel assured that only data which is absolutely necessary will be used, that appropriate security is being applied, that there is full transparency over how our data will be used, and that our data will be destroyed as soon as this pandemic is over. Retaining our trust should be imperative enough to respect privacy law. Rushing to produce technology that fails on any one of these criteria risks losing the trust required for us all to download it in the first place.
Singapore’s “TraceTogether” app has been considered a success story in curtailing the spread of COVID-19. As of 31 March, the app has been downloaded by 1 million residents. The app relies on users’ bluetooth signals to track others in close proximity who also have the app. If someone with the app tests positive for COVID-19, the app has the potential to detect others who were in close contact (within 2 metres for at least 30 minutes). This can be done much quicker and more effectively than relying on an individual’s own account.
In response to those of us concerned that use of the app could come at the price of a user’s privacy, the developers of TraceTogether assert that no personal details such as an individual’s name are collected, and that the app does not store location data or phone numbers. Instead, data logs are stored on phones in encrypted form, and information on potential close contacts is stored not by their phone numbers but by using cryptographically generated temporary IDs.
The app’s success will no doubt garner interest from other countries wishing to use similar technology, and Singapore is reportedly making the technology behind TraceTogether freely available to developers around the world.
Here in Australia, and for those governed by the European GDPR (such as the UK), there is no reason for public health imperatives to trump privacy ones. No reason for government agencies or businesses to choose between beating the virus, or upholding the law, and risk losing trust of affected individuals.
There is a real risk of harm if individuals’ names and personal details are released – not only could it cause unnecessary stigma to the individual, but also any other individuals or businesses which they have frequented whilst contagious. Privacy concerns are likely to grow with any expanded adoption of contact tracing technologies, if data collected could be decrypted and analysed if the recipient deemed necessary at its own discretion. Also, if combined with other data in a public authority recipient’s possession, such as credit card records, other surveillance videos etc. can be used to identify individuals and their locations.
In privacy law, consent is king. Collection, use and transfer of personal information, and in particular sensitive information, generally requires the consent of the individual. Health information such as whether you are infected with COVID-19 is a category of sensitive information. The law provides certain exceptions to the consent requirement. Most relevantly, these include circumstances where collection is in the interests of public health or safety, and it is unreasonable or unpracticable to get an individual’s consent.
Other tenets of privacy law include the principles that only minimal data required to achieve an organisation’s objective should be collected, adequate security measures should be taken in relation to such personal information, and such information should be destroyed once the purpose for its collection has been satisfied. Taken together, privacy law does in fact aim to withstand the COVID-19 pandemic.
The GDPR is arguably the strictest privacy regime in the world. It binds the UK, EU and organisations outside the EU which process personal data as part of its activities of one of its branches established in the EU, or is monitoring behaviour of individuals in the EU. Under the GDPR, processing health data about an individual is prohibited unless an exception applies. A relevant exception in these circumstances is processing personal data when it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. But just because personal data can be collected without consent, does not mean that it is exempt from the rest of the protections provided by privacy law. In a statement released on 19 March, the European Data Protection Board (EDPB) re-iterated that, whilst the GDPR contains sufficient justification for processing personal data in the context of COVID-19, the core principles of transparency, use of data for an explicit purpose, and proportionality must be respected and adhered to.
Governments seeking to use personal data to locate, track and contract trace the spread of COVID-19 should exercise the principle of data minimisation – only use personal data absolutely necessary for meeting the purpose of collection. Under the GDPR, and the European ePrivacy Directive, governments and organisations might have authority to track an individual on the basis of national security interest if there’s genuine reason to believe they might be infected. But a similar legal basis is unlikely to allow for indiscriminate mass tracking of individuals. Therefore, data collection in these circumstances could be limited to requesting telcos and certain tech companies to share aggregated anonymised data which they already have. From this we can at least get a general idea about where and when people are congregating and where spreads might be more prevalent.
Developing a COVID-19 specific app for individuals to download and grant appropriate express consents has obvious benefits, particularly if they could log in their own movements themselves. Clear and unambiguous terms and conditions, and full transparency with regular updates as to how an individual’s data will be used, and to which third parties their data will be transferred to, and for what purpose, are all imperative for a trustworthy app to pass muster. Technology that satisfies those criteria is more likely to be adopted voluntarily by individuals.
Widespread adoption of any technology is key to the efficacy of apps such as TraceTogether. The 1 million Singaporeans who have downloaded the app represent approximately 17% of the country’s population. However, according to Singapore’s National Minister, Lawrence Wong, to be truly effective the country needs 75%, or ideally 100% of the population to download the app and keep the bluetooth switched on on the users’ devices. To make uptake of an app compulsory (or similarly, a voluntary app which nevertheless cafes, restaurants, and workplaces require people to prove their Covid-free status on entry by reference to the app), also risks jeopardising public trust in the organisations seeking to battle the Covid-19 spread.
We are living in a time when public trust in western governments is low, and public trust in businesses and health services need to be maintained. This may mean taking extra time with reputed technology providers to develop a contact tracing app. When it comes to use of our personal information, full transparency regarding the security of the app, and the steps taken to ensure protection of data is the surest way to enshrine trust. And trust in our leaders is the optimal way to galvanise a population to adhere to social distancing and public health and safety rules more broadly intended to flatten the curve. And if we trust our leaders to protect our privacy, we are more likely to adopt whatever technological initiatives they put forward to the public as helping that cause.