As COVID-19 is rapidly spreading around the world, public health authorities are eagerly searching for effective measures to flatten the curve and decrease the rate of contamination. Among others, many governments are using or considering using surveillance technology to track the movements of people infected by COVID-19 and notify those who may have been exposed to the virus. Naturally, the use of such measures on a wide scale raises serious privacy concerns. In Israel, for example, there is a lively debate over emergency regulations enacted to allow the government to monitor "technological data" for issuing warnings to people who may have been in contact with COVID-19 patients, and such measures are currently undergoing judicial review by the Israeli Supreme Court. In Europe, the European Commission has recently issued recommendations on the use of technology and data to combat and exit from the COVID-19 crisis, with an aim to strike a balance between the need for effective measures for fighting the pandemic and the desire to protect fundamental rights, namely privacy. Among others, the commission recommends that privacy-by-design principles (i.e., integration of data protection principles as part of the development process) be integrated in a pan-European approach for using digital means to address the crisis.
This article focuses on the implementation of privacy-by-design principles in COVID-19-related applications and demonstrates the use of such principles through an example of an application launched by the Israeli Ministry of Health.
According to media reports, less than a week from its launch, more than 1 million people downloaded the application out of a population in Israel of approximately 9 million. It remains to be seen how effective the application will be in limiting the outbreak of COVID-19. Yet, the integration of privacy promoting principles in its development process and the transparency with respect to its operation are important for building trust and for encouraging the public to download and install the application.
So, how can app developers implement privacy by design when developing new applications for fighting COVID-19? Here are some practical tips:
Incorporate data protection principles from the very first steps: Considering the potentially sensitive nature of personal data that may be collected by COVID-19 applications (e.g., health information, location data), it is important to think about, and implement, privacy and cybersecurity from the early stages of the development process.
Purpose: Define a clear and limited purpose for the collection, use, retention or disclosure of personal data, and communicate it to the data subjects at or before personal data is collected. Collection and processing of personal data must be strictly limited to the defined purpose and personal data must not be used for any other purpose.
Limit data collection and processing to a minimum: Avoid collecting or processing types of personal data that are not directly necessary for fulfilling the purpose of processing and limit the amount of personal data collected accordingly. To the extent possible, design the application so that the processing of personal data is done on the user’s device and avoid storing personal data anywhere else.
Limit data retention: The retention period of personal data collected by the application should be limited to the minimum necessary for the defined purpose. To the extent possible, the application should also allow data subjects to delete their personal data whenever they choose to do so.
Cybersecurity: Cybersecurity is essential for safeguarding privacy. Implement strong cybersecurity measures that are consistent with industry standards.
Transparency: Provide clear information in plain language on the processing of personal data by the application. Developing the application as "open source" can further promote transparency, by allowing the public to examine and ensure that the application operates as presented.
For more guidance on privacy by design, see Privacy by Design — The 7 Foundational Principles and the European Data Protection Board’s Guidelines on Data Protection by Design and Default.
Many of the measures that are deployed in the global fight against the spread of COVID-19 have a significant impact on privacy, as well as on other civil rights and liberties. However, the promotion of public health and the protection of privacy do not have to add up to a zero-sum game. Implementing smart tech solutions that contain privacy by design features can, in many cases, effectively promote public health goals while minimizing the risks to privacy. Privacy by design can also strengthen credibility and encourage the public to use protective measures promoted by the government, in a manner that may decrease the need to use measures that are more intrusive.
Photo by Capturing the human heart. on Unsplash
If you want to comment on this post, you need to login.