Contact tracing, together with testing and isolating COVID-19 patients, helps contain the spread of the virus, absent a vaccine. Digital technology can speed up contact tracing by using mobile apps. With the use of communications data, GPS, and/or Bluetooth technology, the app determines when users are in close proximity with each other for a sufficiently long period of time, enough to transmit the virus. When a user reports COVID-19-like symptoms to the app, it will trace the devices that came in contact with the user’s device and notify the concerned parties and authorities.
Despite its promised benefits, contact tracing apps are raising a growing number of data privacy concerns.
In April, the Philippines’ Inter-Agency Task Force for the Management of Emerging Infectious Diseases adopted StaySafe.ph as the country’s “official social-distancing, health-condition-reporting, and contact-tracing system.”
However, in early June, former Information and Communications Technology Undersecretary Eliseo Rio Jr. questioned StaySafe.ph’s effectiveness, saying it is “a health monitoring app with a location tracker,” but has “no contact tracing capability.”
He added that some of the app’s permissions were excessive. Lawyer Jam Jacob of the Foundation for Media Alternatives, meanwhile, raised concerns about accountability. Developed and managed by a private firm, the app’s website identifies the National Task Force (NTF) Against COVID-19 as the data controller. The NTF, however, is composed of multiple government agencies, so accountability is not clear for now.
In response to these issues, the IATF issued Resolution No. 45 on June 10 directing Multisys Technologies Corp. (Multisys), StaySafe.ph’s developer, to enter into an agreement with and donate the app to the Department of Health (DOH). The donation shall include the app’s source code, all data, data ownership, and intellectual property. All data collected shall be migrated to the DOH’s COVID-Kaya system. Multisys has 30 days to comply with the directive, which means the MOA with the DOH should be signed by July 10.
Some countries and organizations have issued guidelines and standards for the use of digital proximity tracking technologies. The World Health Organization (WHO), the European Union (EU), the United Kingdom’s (UK) Information Commissioner’s Office (ICO), and tech companies like Apple and Google highlight three common principles: transparency of purpose, limited data retention, and accountability of authorities.
Transparency here means providing users with clear and reader-friendly information about the purpose of the app, types of data to be collected, how data will be stored, processed, and shared, and how long the data will be retained.
Limited retention means that data should only be kept by the app for a specific period of time. The WHO suggests that data collected for battling COVID-19 should be deleted following the pandemic. Should data be retained for research and future epidemic planning, the UK ICO suggests that data be anonymized.
Accountability means that the data controller is clearly identified. Based on EU standards, in cases where there are different actors involved, their roles and responsibilities must be defined and explained to the app’s users.
In the Philippines, the National Privacy Commission has issued a bulletin on COVID-19-related apps and tools, emphasizing the need to make their purpose clear and data collection practices transparent.
As enshrined in the Data Privacy Act, data collection must be based on proportionality, i.e., the “processing of personal information must be relevant to, and must not exceed, the declared purpose.”
Arguably, digital technology offers a faster and more efficient means of contact tracing. However, more than the app, users need to trust the system and the people behind the technology. From the outset, governments and app developers must work harder at responding to data privacy and security concerns. Technology, after all, is only as good as how people use it, and as valuable as the results it helps society achieve.
* * *
(With inputs from Lito Averia, Liel Pascual, Grace Mirandilla-Santos, and William Yu)
Jestine Mendoza is a program officer for The Asia Foundation-Philippines’ Economic Reform and Development Entrepreneurship unit. She also works with Secure Connections, the Foundation’s cybersecurity project. The views expressed in this article do not necessarily reflect the views of The Asia Foundation-Philippines.