Data Privacy and Protection in the age of COVID-19
Contact tracing has been widely used by public healthcare officials for many decades. It is the process of identification and investigation of patients with confirmed and probable diagnoses of an infectious disease. Contact tracing also involves the subsequent identification, monitoring, and support of the contacts of the patients, who might have been exposed to, and possibly infected with, the virus. Prompt identification, voluntary quarantine and monitoring of these contacts can effectively break the chain of disease transmission and prevent further spread of the virus in a community.
Public healthcare systems have been using contact tracing to curtail the spread of virus-causing diseases for sometime now. Diseases such as tuberculosis, measles, smallpox or other infections like HIV, Ebola etc. have been using contact tracing as a means of reducing the spread of infection and alert contacts of infected individuals, thereby reducing the spread of the disease.
The eradication of smallpox was possible not only with universal vaccination but with using exhaustive contact tracing of infected persons. Public awareness led to prompt identification of contacts of the diseased individuals who were immediately isolated and vaccinated. Thus, the outbreak of smallpox was contained without any cases since 1979 demonstrating that contact tracing and case isolation can extinguish communicable disease outbreaks.
2020 has seen an unprecedented calamity in the form of COVID-19 or Coronavirus. According to CDC, contact tracing would help in breaking the chain of disease transmission. What is new with contact tracing for COVID-19 is using contact-tracing software or mobile apps to identify, investigate and monitor contacts exposed to an infected individual. Most contact tracing apps are downloadable by the public from the app store. If a user tests positive for COVID-19, they provide their consent to sending the stored data to the health authorities who can, in turn, contact the individuals whom the user has encountered using blue tooth technology. The software maintains data privacy by anonymizing the IDs of the users, not using the contact list of the user, and storing the data only on the user’s device. Singapore’s contact tracing app “TraceTogether” is one such example.
However, contact-tracing using mobile apps poses a potential privacy risk of users who share the data. For example, research conducted about the privacy risks of contact-traced data, has shown that most data like gender, place of work/home, as well as a person’s religious affiliations was made possible to be disclosed. This raises the question about how to strike a balance between the risks of data privacy versus the public benefits from using contact-tracing apps. While contact tracing can benefit communities who might not be aware of the exposure, it also raises fear about potential use of personal data for surveillance. While Apple and Google have confirmed architectures that protect data privacy, according to Ashkan Soltani, former chief technologist for the Federal Trade Commission, it is still possible to circumvent this by using video recording to pose a cyber-attack and hack the data.
Governments around the world are taking drastic measures against controlling the pandemic — including restricting spread of mis-information about the virus. Traditional contact tracing involves interviewing those who test positive for the virus and collecting information about anyone they have contacted in the last two weeks. With the introduction of technology for contact tracing, the user’s location data, their profile information and their contact information is susceptible to abuse. Technology based apps also amplify the inequalities in society in areas where access to digital products is absent or minimal. Healthcare officials, technology solutions and business leaders need to ensure that privacy and data protection are imperative when contact tracing apps are used.
Apple and Google have collaborated with a privacy-preserving blueprint for the design of the technology solution. While the Bluetooth and cryptography enabled design will help maintain user privacy, the broader issue lies beyond technology. Public health officials, researchers, cryptographers can come together and determine what some of the nuances of data privacy protection are and how to balance combating the virus while protecting user data.
How can government and business leaders decide whether to use contact-tracing apps or not? Among various discussions, we notice five essential points that can help:
First, both public health officials and business leaders have to stay on top of the data privacy design trends. The cryptography design that uses Bluetooth technology should use randomized identifiers to convey positive diagnoses in addition to data such as associated symptoms, proximity, and duration. In addition to this, the app should be downloadable after obtaining user consent.
Second, when you are implementing contact-tracing apps, augment the app with manual process as well. While mobile apps offers many possibilities to support contact tracing, manual methods should complement and support this process. This will enable penetration into all sectors of population including the elderly and those with limited access to technology.
Third, engagement with all users, those who are positive as well as their contacts, should mandate user consent. Including simple language to help users know their rights can help. Users should also be advised about their information being sent to healthcare officials, as the case maybe. Providing a customer service helpline will help ease the anxiety of the users as well as their exposed contacts.
Fourth, the veracity of the data (such as confirmed cases) can be verified using trusted data sources like public health authorities as well as test results.
Finally, do not store data; release the records after 21 days
Although the use of technology for contact tracing of COVID-19 poses risks, there are several benefits — of not relying on user memory for information, allow unknown contacts to be located, and potentially help community curtail the rate of spread. Implementing the technology solutions require careful consideration on aspects of privacy and data protection. The software can be used to support manual efforts and should include data managers, biostatisticians, epidemiologists, and other public health professionals in the conversations.
