Speeches, Presentation & Articles

“Data privacy issues relating to COVID-19 contact tracing apps” — Privacy Commissioner's article in OneTrust DataGuidance (March 2021)

Since its outbreak towards the end of 2019, COVID-19 has quickly escalated into a global health crisis. Characterised by the World Health Organisation as a pandemic in March 2020, COVID-19 has infected over 116 million people and claimed over 2.5 million lives worldwide. Governments around the world have been using unorthodox technological measures to help them fight the pandemic. Among others, public health surveillance technologies such as contact tracing or exposure notification mobile apps have been regarded globally as a crucial and novel way to help contain its spread. While public health surveillance technologies have become an integral part of many pandemic prevention and containment strategies, data protection authorities ('DPAs') around the world stress that all stakeholders should always be vigilant about the personal data privacy concerns that are raised in the process.

Contact tracing apps: trends and best practices

To address privacy challenges posed by the pandemic, the Global Privacy Assembly ('GPA') established the COVID-19 Taskforce in May 2020¹. Taking an active role in the COVID-19 Taskforce, my office spearheaded the compilation of the Compendium of Best Practices in Response to COVID-19² ('the Compendium'), which contained relevant experience and best practices contributed by 32 GPA members and observers from different geographic regions, through a survey conducted in August and September 2020 ('the Survey').

The use of contact tracing apps was featured as one of the main topics in the Compendium. According to the Survey's results, jurisdictions commonly deployed digital technologies for the purpose of contact tracing (84%), and the majority of them (72%) were in the form of contact tracing apps. Many of these contact tracing apps (84%) used the Bluetooth signals of mobile phones to keep records of individuals who had come into close proximity of each other, which allowed public health officials to notify or even quarantine people who had been in close contact with the infected. The use of almost all contact tracing apps reported in the Survey (except those for enforcing quarantine orders) were voluntary.

The level of privacy protection for different contact tracing apps may vary. For example, for contact tracing apps adopting a centralised approach, personal data of users is collected and stored in a central database upon registration. Often, anonymised proximity data collected by the apps will be uploaded to central servers when the users become infected, thus allowing the relevant authorities to trace their close contacts. On the other hand, in a decentralised approach, registration is usually not required. Anonymised proximity data collected by the apps would remain on the users' mobile devices. Only the pseudonym IDs of the infected users assigned by the app will be uploaded to central servers in order to notify those who may have been exposed to the virus.

The decentralised approach is more privacy-friendly because information on the infected users' close contacts is not accessible centrally by the relevant authorities. In the 'Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak'³ issued in April 2020, the European Data Protection Board took the view that the decentralised approach was the most in line with the principle of data minimisation.

On the other hand, some countries went the other direction and further incorporated real-time GPS tracking data in their contact tracing measures, which would increase data accuracy and tracing effectiveness, but which is also considered more privacy-intrusive owing to the continuous tracing of geolocation data. The results of the Survey conducted by my office showed that only one fourth (25%) of all digital contact tracing measures reported in the survey involved the use of location tracking techniques.

Apart from providing an overview on the use of contact tracing apps, the Compendium also contained the best privacy practices for contact tracing apps adopted in the 32 jurisdictions, with a view to reaping the benefits of collective experience and wisdom for the development of contact tracing apps in future. Examples of the best practices include:

• conducting Data Protection Impact Assessments or Privacy Impact Assessments ('PIAs') before rolling out the contact tracing apps to ensure Privacy by Design;
• permitting voluntary use of contact tracing apps;
• adopting data minimisation techniques such as (i) collecting only anonymous/pseudonymised/de-identified data (e.g. no name, phone number, or location data would be collected by the apps), and (ii) uploading only the information of infected persons to central databases (i.e. decentralised exposure notification);
• adopting various measures to demonstrate transparency and enhance public trust, such as (i) publishing privacy policies of the contact tracing apps; (ii) informing the users when their data is deleted; and (iii) chartering the DPAs or oversight committees to review the operation of the apps;
• spelling out the retention periods for the data collected by contact tracing apps, the more common retention period being from 14 to 30 days after the collection; and
• pledging that the contact tracing apps would be scrapped when the COVID-19 pandemic is over.

Hong Kong's situation

The Government of the Hong Kong Special Administrative Region of China has also adopted advanced technological measures to combat COVID-19, including the contact tracing 'LeaveHomeSafe' app⁴ ('the App'). The App was launched in November 2020 to help members of the public record their visits to public places such as shopping malls and restaurants, and will notify them when they might have been exposed to the virus through having visited the same place around the same time as an infected individual.

To alleviate the public's concern about privacy, an independent third party has been engaged by the Hong Kong Government to conduct a PIA to ensure that the App is in compliance with the requirements of the local privacy law, namely, the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012. In particular, it is noteworthy that:

• The App does not have a location tracking function and neither does it collect users' GPS data; therefore, the App does not have the function of tracking users' movements.
• The downloading of the App, which can be used immediately after download, does not involve registration of the users' personal data. No collection of any personal data is involved during the process of download.
• Visit records are kept on users' mobile phones only, not in any Government systems. There is no transfer of personal data to the Government's systems or operators of premises for retention.
• Visit records will be automatically erased after 31 days.
• Only in the unfortunate event of a confirmed infection as ascertained by the Centre for Health Protection ('CHP') will the infected person be required under the Prevention and Control of Disease (Disclosure of Information) Regulation (Cap. 599D) to upload the relevant visit records and provide his/her name and contact telephone number to assist the CHP in contact tracing.

The privacy design of the App is in line with the least privacy-intrusive design advocated internationally by DPAs.

The way forward

While digital technologies provide powerful tools for governments to fight COVID-19, their efficacy depends on people's trust and confidence in such applications. These measures should therefore be implemented with careful planning and transparency, upon consultation with major stakeholders in the society and with robust Privacy by Design protection. Before rolling out the digital measures, governments have to consider privacy implications, including but not limited to:

• the legal basis for collecting and using personal data in these technological measures;
• whether the use of these measures is necessary and proportionate, taking into account the amount of personal data collected, the specific purpose(s) of collection, how the data will be processed and shared, and whether any less privacy intrusive alternatives are available;
• the quality of the personal data collected such that the accuracy of these technological measures can be ensured;
• whether the technological measures are implemented with transparency, accountability, and full explanation;
• whether the public will be given a free and informed choice of using these measures; and
• the period which these measures will be in place and for how long the personal data will be retained; data should only be retained for so long as is necessary to achieve the purposes for which it was collected.

Going forward, my office will continue to take on an active role in the work of the GPA COVID-19 Working Group⁵ (a successor of the COVID-19 Taskforce) by leading the work on identifying the most pressing privacy issues currently arising from the COVID-19 pandemic, exploring the related best privacy practices, and compiling relevant guidance to all stakeholders, including both public and private entities, with a view to striking the appropriate balance between privacy protection and combating the pandemic.

Ada Chung Lai-ling Privacy Commissioner for Personal Data, Hong Kong, China

1. https://globalprivacyassembly.org/covid19/covid19-taskforce/
2. Press release: https://www.pcpd.org.hk/english/news_events/media_statements/press_20201016.html;
   Compendium: https://www.pcpd.org.hk/english/news_events/media_statements/files/compendium.pdf
3. https://edpb.europa.eu/our-work-tools/our-documents/ohjeet/guidelines-042020-use-location-data-and-contact-tracing-tools_en
4. https://www.leavehomesafe.gov.hk/en/
5. https://globalprivacyassembly.org/wp-content/uploads/2020/10/FINAL-GPA-Resolution-on-Privacy-Data-Protection-Challenges-Arising-in-the-Context-of-Covid-19-Pandemic-EN.pdf