On the same day that the ICO appears before the Human Rights Joint Committee, the agency has released a data protection guide for the correct development of contract tracing applications.
The guidelines come in the form of a 10-step catalogue of principles that must be taken into account when constructing a contact tracing app or service.
Read This! Europe Publishes Contact-Tracing App Guidelines
Contact tracing is the process of slowing the spread of a virus during an epidemic by identifying anyone who might have come into contact with an infected person, and collecting further information about these contacts.
By tracing the contacts of infected individuals, testing them for infection and treating those affected, authorities can theoretically drastically reduce infections in a population.
The UK government and the NHS are developing an app to help them collect data on people who have contracted COVID-19, so they can implement contact tracing to mitigate the risk of a second wave of infections. The app will notify users if they have been in the same area as one or more infected people who are using the app. The UK’s app is to be trialled on the Isle of Wight this week.
Transparency is Key
The first three steps of the guide outline which aspects of the process the ICO will expect to be transparent. The app or service must be clear about its purpose, whether it will be created to track proximity, for example, or whether the design will be more ambitious. The designers must be clear about what risks their approach poses to individual rights, with developers strongly advised to take the least invasive route. They must also be transparent about the benefits expected from the app or service.
The ICO has also set-out guidelines concerning the users of the app; making it clear they must be protected through the use of pseudonyms, “which are renewed regularly as appropriate to your purposes and are generated in such a way that risks of re-identification and tracking are reduced”. According to the ICO, users should be given control over their own data via a privacy control panel or dashboard, and this data must not be stored for any longer than is necessary.
Finally, the commission states that the app must collect the minimum amount of data necessary for its purpose, and that the privacy of the user should be strengthened by the app, that its design does not introduce additional privacy and security risks for the user, such as identification or location.
While the UK is only at the testing stage, China, Australia Singapore, India, South Korea and most of Europe have already created apps to slow the progress of coronavirus.