Data Protection Impact Assessment – COVID Tracker Ireland App
Contact tracing has been identified by health officials as one of the main pillars in slowing down the spread of the COVID-19 virus. For this reason, the Health Service Executive (HSE), introduced a national COVID-19 mobile tracking application – the COVID Tracker App.
Use of the COVID Tracker App is voluntary and it is intended to improve the speed and the accuracy of the tracing process. The app uses the phone’s Bluetooth and anonymous IDs to log close contact with another phone that has also the app, the distance between the phones and the length of time the phones are near to each other.
People who test positive for COVID-19 are able to choose if they want to anonymously alert other application users who they have been in close contact with. If the app finds that a user has been in close contact with someone who has tested positive for coronavirus, they will receive an app alert.
Overview of the COVID Tracker App
As per the app documentation, when a person downloads the COVID Tracker App, they can optionally enable its Contact Tracing function. The application is designed to continuously scan for other phones that have also enabled the functionality and will record the proximity by sending each other random IDs without any user action. If a person tests positive for COVID-19, the HSE will contact this person by phone and will be asked if they want to volunteer these IDs to the HSE. The HSE then uploads these IDs to a registry. Each phone that has the application enabled, checks every 2 hours if the user’s ID is on the register, and if found it will alert the user he/she has been in close proximity of a confirmed case. If a user wants, they can record their phone numbers to receive a follow up call from the HSE.
Another function will provide users with the option to share symptom information. According to the DPIA will be used to gain statistical insight into the COVID-19 symptoms in the country. Users can grant or revoke access to application metrics intended to understand how the public is using the application as well as how the application is performing and functioning.
The use of the application complements, but does not substitute advice given by health officials. It is important that the public continues to follow existing health measures as published in https://www.gov.ie, including, but not limited to, social distancing, washing hands well and often, and covering mouth and nose with a tissue or bent elbow when coughing or sneezing.
Data Protection Impact Assessment
Given the scale of the data being processed and the type of data involved, and the technologies being used, a Data Protection Impact Assessment (DPIA) was completed. A DPIA helps to identify what personal data the application will use and how users’ privacy and confidentiality rights are protected.
The DPIA contains details on what personal data is collected, how it will be stored and processed, and the retention periods. It also states the measures in place to avoid the disproportionate processing of personal data. These are listed as its voluntary nature, the pseudonymisation of information, the optional provision of phone numbers and contacts, and the controller’s decision to not collect and process device generated location data.
This DPIA was reviewed by the Office of Office of the Data Protection Commissioner’s (DPC) and recommendations were documented.
Among the recommendations was the need for monitoring to ensure the application continues to process personal data in a manner that meets the requirements of necessity and proportionality “…For example, if the population uptake of the App fails to reach a sufficient threshold, the necessity and proportionality of continuing to process the data of those who do use it should be reconsidered.” Close monitoring is also required to understand the effectiveness of the App.
In the interests of transparency, the DPC made recommendations regarding communications to the public and end users such as:
- publishing the App source code and the DPIA.
- informing on the use of the different functions and how personal data will be used.
- that anonymised data is transferred by the controllers to the CSO.
- Decisions of the Governance Committee.
- How to delete data from devices and how to exercise their Data Subject Rights.
It also advises the use of independent testing of security measures implemented to secure the data.
As per the DPIA, no personal data is intended to be processed beyond the period of the pandemic in line with the European Data Protection Board’s guidelines. Application is intended to be wind down within 90 days of the end of the COVID-19 crisis.
To access the application documentation please follow these links to the HSE website:
Privacy and use of Personal Data: https://covidtracker.gov.ie/privacy-and-data/