Privacy Commissioner of Canada Daniel Therrien said that technology can help address the COVID-19 pandemic.
“If done properly, tracing applications can achieve both privacy and public health goals at the same time,” he said in a May 7 statement. “Everything hinges on design, and appropriate design depends on respect for certain key privacy principles.”
Those principles include:
- Consent and trust: The use of apps must be voluntary. This will be indispensable to building public trust. Trust will also require that governments demonstrate a high level of transparency and accountability.
- Legal authority: The proposed measures must have a clear legal basis and consent must be meaningful. Separate consent must be provided for all specific public health purposes intended. Personal information should not be accessible or compellable by service providers or other organizations.
- Necessity and proportionality: Measures must be necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective. The privacy commissioners set out guidance to governments for determining whether the measures in question are justifiable.
- Purpose must be limited: Personal information must be used solely for its intended public health purpose.
- De-identification: De-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose. Consideration should be given to the risk of re-identification, which can be heightened in the case of location data.
- Time-limitation: Exceptional measures should be time-limited. Any personal information collected should be destroyed when the pandemic crisis ends, and the app should be decommissioned.
- Transparency: Government should be clear about the basis and the terms applicable to the exceptional measures, including fully informing Canadians about the information to be collected; how it will be used; who will have access to it; where it will be stored; how it will be securely retained; and when it will be destroyed. Privacy impact assessments, or meaningful privacy analysis, should be completed, reviewed by privacy commissioners and a plain-language summary published proactively.
- Accountability: Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of the initiatives and commit to publicly posting the evaluation report within a specific timeline. Oversight by an independent third party — such as review and implementation monitoring by a privacy commissioner’s office — will help ensure accountability and reinforce public trust. While some privacy commissioners already have the legal authority to conduct independent audits, the commissioners urged that those who don’t should be given that mandate by their governments. If effectiveness of the app cannot be demonstrated, it should be decommissioned and any personal information collected should be destroyed.
- Safeguards: Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data and to ensure that data is not used for any purpose other than its intended public health purpose. Authorities must ensure the public are aware of associated risks and threats, such as online fraud or malware.
The Office of the Privacy Commissioner of Canada also published guidance last month to assist organizations subject to federal privacy laws to understand their privacy-related obligations during the pandemic.