One of the best ways to provide optimal protection to data during COVID-19 is to anonymise it. But there are questions about the effectiveness of anonymization. Research by Sean McDonald indicates that the only way the data of call data records during the Ebola crisis were usable was with de-anonymization of data.
There is a need to have more technical conversations around anonymization and utility as there is no clarity on what kind of anonymization techniques are being used in contact tracing apps or anonymization as a substitute for de-identification.
Data minimization:
Users must save and process only what is needed. Contact tracing doesn’t require location as the need is proximity data and direct identification of individuals is not required. Data collected through contact tracing apps should only be pulled into government servers when it is needed. Contact tracing requires a history of data, but that requires to turn tracking on, so users do not need to pull it up to the cloud unless it is a compulsory need.
With a focus on minimization and decentralization technologies, the DP-3T protocol that has come up in the EU is particularly interesting. Decentralization builds democratic trust in the user itself. It says that if a user wants to volunteer the information to the central government for his/her own benefit, they may choose to do so. If the user doesn’t want to, it is only going to give the information that the user is possibly infected, so they can choose to take any action based on that information.
Proportionality:
Proportionality is of paramount importance: not just a suitability. Is technology or data collection necessary or solving a purpose? Is it the least restrictive measure, and what is the balancing that a user must do? What are the rights and obligations on the other side? These obvious questions are complicated and may add confusion to the user’s mind.
Purpose specification:
The purpose of the data collection should be clearly specified. Purposes should be specific enough that you can exclude any kind of further processing for purposes that are unrelated to COVID19, and function creep should be avoided.
For example, in the case of the Aarogya Setu app in India, the purpose of data collection was clearly specified by Government of India.
Limitation on sharing of data:
Secondary use of data incepts notice cycle again and hence there must be a limit on sharing of data. When data is collected compulsorily for a purpose, by one department, it cannot be shared with another department for any reason, unless there is a warrant or a legal necessity.
For example, a landmark judgment called Marcel vs Commissioner of Police in the early 1990’s about Government sharing of data can be read to understand the aspects of entities sharing user data. If the user shares their data with the health department of the government, that data must not end up in the rest of the departments. This breach of data will plant distrust in the user and they will be tempted to not share their data at all.
Map out data sharing for addressing the pandemic:
This is a health pandemic and hence all are looking at an economic crisis later. There will be other moves by the entities to use the personal information from contact tracing apps such as the [Aarogya Setu] application. This personal information that is currently being leveraged in this pandemic for health crisis ought to be ring-fenced, so that six months later, if anyone tries to target something somewhere, is a clear rationale why they are trying to access the said data.
Principle of non-discrimination of data:
Can there be incorporation of a principle of non-exclusion or non-discrimination in these [contact-tracing] applications which is new? Like both the proposed legislation in the UK and as well as the actual legislation in Australia a few days ago, it incorporates the principle that says that no one will be harmed if they don’t have access to a technology.
For example, No one shall be denied access to food shelters or night shelters if they haven’t downloaded the Aarogya Setu app, and implementing immunity passports, which is happening in India through the e-pass program.
Oversight – preferably judicial oversight – and accountability:
It is important to know who is getting the data, defining who is the extractor of data fiduciary in that case. Only if it’s known who the data fiduciary is, that one can know whom to approach. Oversight, and accountability of the organization that is collecting data, is very important.
For example, In case of the Aarogya Setu app, the government of India is not liable for any misuse. The question is who is accountable then? There is a strong need for an ombudsman to whom someone can go and say that there has been a violation. Asking people to file writ petitions in court is not a sustainable solution. There are ways to ensure that set up for institutional frameworks that create the kind of oversight mechanism without interfering with the government’s response and its ability to manage it dynamically.
Reviews of surveillance mechanisms for data:
There should be a periodic review of the disease related surveillance mechanisms for data in place, to check for necessity, proportionality and efficacy of the steps being taken, with periodic decisions being taken to extend or sunset certain surveillance. Review may also be from a region-by-region perspective.
Data protection impact assessment with retention and deletion:
While implementing a high-risk tool that involves large scale adoption, or systematic monitoring, there should be a data protection impact assessment to mitigate risks. Data should not be retained beyond its stated purpose being met. The data should be deleted. On the Aarogya Setu app, data is deleted on a 30-day cycle. On the cloud, it is deleted after 45 days. If someone is infected, it is deleted 60 days after the said patient is cured.
Sunset clause:
Many speakers supported the idea that a sunset clause needs to be in place. Note that the Aarogya Setu contact tracing app doesn’t have a sunset clause. No one knows for how long surveillance measures would be necessary. There is no guarantee that if somebody has already recovered after contracting the infection, then they will not be infected again.