The chair of the Council of Europe’s data protection ‘Convention 108’ committee, Alessandra Pierucci, and the Council of Europe Data Protection Commissioner, Jean-Philippe Walter, have recently released a joint statement on digital contact tracing in the fight against coronavirus.
Digital contact tracing is being used in many countries to help control the spread of coronavirus by alerting individuals that may have come into contact with an infected person. The UK government is gearing up to deploy its contact tracing app within the next few weeks (it is currently being tested on the Isle of Wight), which could help lift the lockdown measures further. However, as highlighted by the joint statement, it is crucial to ensure that the necessary data protection safeguards are implemented when adopting extraordinary measures to protect public health.
The joint statement sets out various familiar and well-established data protection principles that public authorities using digital contact tracing should adhere to when designing and implementing monitoring systems. These include trust and voluntariness; privacy by design; transparency; purpose specification; and data sensitivity, quality and minimisation. Some key points to pull out from the joint statement are as follows:
- Voluntariness does not mean that the processing of personal data will necessarily be based on consent as its legal basis. Convention 108 allows processing on the grounds of public interest, including public health, provided for by law. Therefore, national laws, promoting a genuine voluntary recourse to such systems, would constitute an appropriate legal ground for this processing, provided that appropriate safeguards are put in place.
- Digital contact tracing systems should be designed to ensure that location data of individuals are not used, that no direct identification is possible and that re-identification is prevented.
- The purpose of such systems should be solely limited to identifying individuals potentially exposed to the virus. Any unrelated purposes, such as commercial or law enforcement purposes, should be excluded, and further processing of data for epidemiological research or statistical purposes would necessarily require explicit consent.
- Digital contact tracing should be done on the basis of records of connections between mobile devices, rather than on the basis of location data (e.g., GPS generated data). It should be based on an architecture that relies as much as possible on the processing and storing of data on the devices of individual users.
- Full transparency through open source development of the code is highly recommended, enabling anyone interested to audit (and possibly improve) the code.
- The data used for digital contact tracing should only be kept for the duration of the management of the pandemic and storage limitation periods should be defined in line with the epidemiological relevance of the data (such as the incubation time of the virus).
You can read the joint statement here.