As COVID-19 is rapidly spreading around the world, public health authorities are eagerly searching for effective measures to flatten the curve and decrease the rate of contamination. Among others, many governments are using or considering using surveillance technology to track the movements of people infected by COVID-19 and notify those who may have been exposed to the virus. Naturally, the use of such measures on a wide scale raises serious privacy concerns. In Israel, for example, there is a lively debate over emergency regulations enacted to allow the government to monitor "technological data" for issuing warnings to people who may have been in contact with COVID-19 patients, and such measures are currently undergoing judicial review by the Israeli Supreme Court. In Europe, the European Commission has recently issued recommendations on the use of technology and data to combat and exit from the COVID-19 crisis, with an aim to strike a balance between the need for effective measures for fighting the pandemic and the desire to protect fundamental rights, namely privacy. Among others, the commission recommends that privacy-by-design principles (i.e., integration of data protection principles as part of the development process) be integrated in a pan-European approach for using digital means to address the crisis.

This article focuses on the implementation of privacy-by-design principles in COVID-19-related applications and demonstrates the use of such principles through an example of an application launched by the Israeli Ministry of Health. 

"HaMagen" (“the shield” in Hebrew), which was developed in a joint effort of the MoH, tech companies and volunteers, including external cybersecurity and privacy experts, compares GPS location data stored on a person’s smartphone with the location data of patients diagnosed with COVID-19. In case of a match, the user is notified and given the option to report their exposure to the MoH. The main privacy-promoting feature of the application is that, per the application’s privacy policy, the user’s location data stays on the device and is not shared with the MoH or any third party. Instead, the application downloads digitally signed data files containing the location history of diagnosed COVID-19 patients from the MoH’s servers and the comparison of such data with the user’s location data takes place on the user’s device.

In addition, the application’s retention of location data is limited to 14 days (the estimated incubation period of COVID-19). Furthermore, in an effort to increase transparency and security, the MoH published the application’s source code on GitHub and manages it as an open-source code (save for several commercial libraries). According to the MoH, the application has also undergone extensive cybersecurity testing (including architectural checks, code reviews and penetration tests) by several cyber and information security agencies, specialists from the private sector. The application further has a detailed privacy policy, which is available in four languages.

According to media reports, less than a week from its launch, more than 1 million people downloaded the application out of a population in Israel of approximately 9 million. It remains to be seen how effective the application will be in limiting the outbreak of COVID-19. Yet, the integration of privacy promoting principles in its development process and the transparency with respect to its operation are important for building trust and for encouraging the public to download and install the application.

So, how can app developers implement privacy by design when developing new applications for fighting COVID-19? Here are some practical tips:

Incorporate data protection principles from the very first steps: Considering the potentially sensitive nature of personal data that may be collected by COVID-19 applications (e.g., health information, location data), it is important to think about, and implement, privacy and cybersecurity from the early stages of the development process.

Purpose: Define a clear and limited purpose for the collection, use, retention or disclosure of personal data, and communicate it to the data subjects at or before personal data is collected. Collection and processing of personal data must be strictly limited to the defined purpose and personal data must not be used for any other purpose.

Limit data collection and processing to a minimum: Avoid collecting or processing types of personal data that are not directly necessary for fulfilling the purpose of processing and limit the amount of personal data collected accordingly. To the extent possible, design the application so that the processing of personal data is done on the user’s device and avoid storing personal data anywhere else.  

Limit data retention: The retention period of personal data collected by the application should be limited to the minimum necessary for the defined purpose. To the extent possible, the application should also allow data subjects to delete their personal data whenever they choose to do so.

Cybersecurity: Cybersecurity is essential for safeguarding privacy. Implement strong cybersecurity measures that are consistent with industry standards.

Transparency: Provide clear information in plain language on the processing of personal data by the application. Developing the application as "open source" can further promote transparency, by allowing the public to examine and ensure that the application operates as presented.

Many of the measures that are deployed in the global fight against the spread of COVID-19 have a significant impact on privacy, as well as on other civil rights and liberties. However, the promotion of public health and the protection of privacy do not have to add up to a zero-sum game. Implementing smart tech solutions that contain privacy by design features can, in many cases, effectively promote public health goals while minimizing the risks to privacy. Privacy by design can also strengthen credibility and encourage the public to use protective measures promoted by the government, in a manner that may decrease the need to use measures that are more intrusive.

Photo by Capturing the human heart. on Unsplash