Canada: Someone Really Is Watching Me: New Privacy Guidance For Contact Tracing

Earlier this week we wrote about Alberta's mobile contact tracing application, introduced with the objective of monitoring exposure to and containing the spread of COVID-19. Similar apps which trace contacts within proximity to someone who has been confirmed or is likely to be a carrier of COVID-19 to notify individuals of potential exposures, are being introduced across Canada and around the world. Yesterday, the Canadian federal, provincial and territorial Privacy Commissioners issued a joint statement for governments and other organizations considering this type of technology. Although the statement is aimed at government and public health authorities, the guidance is relevant to other organizations, to which we expect a similar standard will be applied.

In the statement, the Privacy Commissioners recognize that the safety and security of Canadians is of grave concern in the COVID-19 health crisis, and that limiting the spread of COVID-19 is an urgent and significant challenge. However, the statement also emphasizes that extraordinary measures such as contact tracing have significant implications regarding both privacy and fundamental rights of Canadians. As such, the statement outlines the following minimum requirements applicable to contact tracing solutions:

• Consent and trust: The use of contact tracing apps must be voluntary and organizations using these apps must be transparent and accountable for their use.
• Legal authority: Contact tracing apps must have a clear legal basis and consent to their use must be meaningful.
• Necessity and proportionality: Contact tracing apps must be necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective in achieving that purpose.
• Purpose limitation: Personal information that is collected through contact tracing apps must be used for its intended purpose, and for no other purpose.
• De-identification: De-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose for use of the app. Consideration should also be given to the risk of re-identification, which can be heightened in the case of location data.
• Time-limitation: Any personal information collected during this period should be destroyed when the crisis ends.
• Transparency: Organizations should be clear about the basis for and the terms applicable to contact tracing apps - individual Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed. App-specific privacy impact assessments and reviews should be conducted.
• Accountability: Organizations should monitor and evaluate the effectiveness of contact tracing apps and involve independent third party oversight where relevant. If the effectiveness of a mobile tracing app cannot be demonstrated, it should be decommissioned and any personal information collected via the app should be destroyed.
• Safeguards: Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data and that data is not to be used for any purpose other than its intended purpose. Authorities must ensure the public is aware of associated risks and threats (e.g. online fraud or malware).

The above is an overview of key privacy considerations applicable to digital contact tracing in the context of COVID-19. Please do not hesitate to reach out to our MLT Aikins team if you require assistance with privacy and security related questions – we would be pleased to assist you in navigating the unique circumstances presented by this pandemic.