TTP extends its best wishes to all those impacted by the coronavirus and hopes that all are safe and well. For those readers based in the UK the NHS coronavirus guidance can be found here and Government guidance here. Stay home, stay safe.
Given the difficult circumstances in a health crisis data becomes critical in informing the approach of governments and healthcare providers. Information concerning the nature of the virus, symptoms, at-risk groups, incidence and fatality rates all play key roles in ensuring a rapid and effective response. On a more nuanced level trends can be determined in data that can assist in risk profiling and resource allocation.
This is reflected in the response of the UK Government which is launching an app to help individuals track whether they have come into contact with people infected by the virus. The GOV.UK Coronavirus Information Service has been launched over WhatsApp. A chatbot, this allows users to receive information about the virus and receive basic advice. This provides a good case studying into safeguarding privacy in a crisis.
The Guardian and Equality and Human Rights Commission rightly pointed out that this raises privacy concerns– people are being asked to submit their personal information and symptoms which is then used to notify other users who are judged to have come into contact with them. This has been dubbed “contact tracing”. Naturally to build up an accurate map of people impacted buy-in is crucial, with it being judged that at least 60% of those infected would have to sign up for the App to be effective.
This process would see a large volume of users’ highly sensitive healthcare data being processed. This leads to a number of steps which should be taken, providing a useful case study into what is best practice when dealing with healthcare data:
- Relevant regulatory bodies should be engaged, such as the Equality and Human Rights Commission, to ensure the protection of key rights and compliance with best practice. The Information Commissioner’s Office, should (and likely has been) consulted at each stage of the process. ICO guidance on data protection and the coronavirus can be found here.
- Issues of doctor-patient confidentiality should be considered and mitigated. The adequacy of the application and the information it provides should be limited and assessed.
- Privacy protections should be built into the application with data taken being minimized and protected at every step including anonymization and aggregation.
- Data should be encrypted at source, further to WhatsApp’s own end-to-end encryption. The data protection measures taken by WhatsApp should be reviewed and their access to data should be limited to ensure they act as a “mere conduit” for data. This includes review and amendment of Whatsapp’s own back-up and data protection policies, particularly where this involves Cloud storage.
- Accessibility of data should be limited to only those necessary and governed by robust agreements containing confidentiality provisions. This includes restricting third party access in the event of maintenance and development.
- Users should have to use two-factor authentication to access the App.
- Users should be informed upon sign-up of all data processing activities and have the option to opt-out at any time, amend their data, request records of their data and submit complaints to the ICO.
- A robust complaints procedure should be established.
- Risk assessments, data retention and privacy policies should be made available. The source code of the App is also being made available.
- Third-party data protection audits and security testing should be undertaken regularly.
- Data breach reporting policies and business continuity arrangements should be established and approved by third parties.
- It should be considered if access should be limited to only those users within England and Wales. In the event users from other jurisdictions are permitted, which looks likely, this should be assessed and domestic data protection and privacy laws complied with.
- An action plan for ongoing review and safeguarding of the data gathering and protection practices undertaken by the App should be published.
- A policy for the disposal of data and shutdown of the App after the pandemic passes should be formed.
In its approach, the Government would be well placed to learn from its counterparts in other countries which have undertook similar projects- China’s own digital contact tracing efforts, for example. Cautionary lessons should be learned from India’s Aadhaar project, India’s biometric data recording database, where successive data breaches left data of its over 1bn users at risk.
For further information, privacy issues arising around the increased recording of health information during the pandemic have been scrutinised by TechCrunch and the Dispatch whilst Politico covers recent Senate scrutiny. NBCNews raises concerns following federal health officials suggesting that they could use aggregated user data collected by technology companies to measure and mitigate coronavirus impact.