May 7, 2020 - Health Sector, Private Sector, Public Sector

Canada’s Information and Privacy Commissioners Set Out Privacy Principles for Contact-Tracing Apps

Contact-tracing apps, or apps that notify individuals that they have likely been in contact with a confirmed or suspected carrier of COVID-19, can help prevent the further spread of the virus, but must leverage personal information to do so.  Federal, Provincial and Territorial  Information and Privacy Commissioners (“FPT Commissioners”) released a joint statement earlier today, calling on their governments and public health authorities to respect fundamental privacy principles when deploying such apps, including:  

  • Consent and Trust. Centrally, the use of any such app must be voluntary.
  • Legal Authority. There must be a clear legal basis grounded in meaningful consent specific to the public health purposes intended.
  • Necessity, Proportionality, Effectiveness, and Minimal intrusiveness. To achieve these principles, any measure used must be evidence-based and carefully tailored.
  • Purpose Limitation to the public health purpose intended.
  • De-identified or aggregate data should be used whenever possible.
  • Any exceptional measures should be time-limited.
  • Transparency by governments about the basis and terms of the measures. Accordingly, the following information should be available to Canadians:
    • what information is being collected;
    • how it will be used;
    • who will have access to it;
    • where it will be stored;
    • how it will be securely retained;
    • when it will be destroyed.
  • Accountability. The FTP Commissioners recommend oversight by an independent third-party to ensure accountability and reinforce public trust. They suggest mandates to conduct independent audits be given by governments to individual commissioners where the authority to conduct such audits does not already exist.
  • Safeguards – both legal and technical security – must be put in place to prevent unauthorized access and unintended uses. Meanwhile, the public should be made aware of the risks. 

Alberta Health is one of the first in the country to have submitted a PIA, to the Information and Privacy Commissioner of Alberta, in respect of an app it recently launched in its fight against COVID-19. The Alberta Commissioner is currently reviewing the PIA and will provide recommendations to the Alberta government, while monitoring the app’s implementation.