The ABTraceTogether App - Key Privacy Considerations
In a bid to help combat the spread of the novel coronavirus (COVID-19), Alberta has become the first Canadian province to launch a contact tracing app to track community transmission of COVID-19.
Alberta released the app, ABTraceTogether, on May 1, 2020. The app uses Bluetooth technology to identify users who have been in physical proximity with COVID-19 infected users. Once potential exposure has been detected, the app alerts the user who can then choose to get tested. This method of contact tracing has been used in other jurisdictions to slow transmission of the virus; however, the app’s ability to track user’s contacts and movements within the community has raised concerns around privacy and data collection.
Recently the Federal, Provincial and Territorial Privacy Commissioners issued a joint statement1 inviting governments using contact tracing apps to do so in accordance with a prescribed set of privacy principles. We summarize these principles and provide information on how the ABTraceTogether app addresses them below.
Consent, Transparency and Accountability
The first principles outlined by the Privacy Commissioners are consent, transparency and accountability. The Commissioners stress that users must voluntarily choose to use the app and their consent must be meaningful. The Commissioners note that Governments must be clear about why information is being collected and users must be fully informed about how their information will be used, who will have access to it, and how it will be retained and destroyed.
The ABTraceTogether app uses an affirmative consent model, so that once users download the app, they are provided with a privacy statement detailing how and for what purposes their data will be used and are expressly asked to consent to this use. A user’s choice to download and use the app is voluntary and they can revoke their consent at any time. Once a user revokes their consent, any data collected from their phone will no longer be associated with them and their User ID and mobile number are deleted from the server. Concerns have been raised with respect to how long user data collected by the app will be stored post-pandemic and how this data could be used in the future. The Government of Alberta has provided the following information with respect to the app:
a. Retention of data: Once a user chooses to upload his or her contact logs, these logs are maintained by Alberta Health Services for a set period of 21 days. Any non-identifying data related to use of the app is retained for a period of 18 months and any analytical reports and assessments derived from data collected by the app are “maintained in accordance with records retention and disposition policies of Alberta Health and Alberta Health Services”.
b. Use of data: According to the ABTraceTogether privacy statement, the app does not track users’ location. Instead, users’ phone numbers are used in conjunction with Bluetooth technology to identify contacts and alert them of possible exposure to the virus. Once a user has been alerted, they have the choice to get tested and to provide Alberta Health Services with access to their ABTraceTogether data to allow for contact identification and notification.
The Commissioners also note that Governments should provide an ongoing monitoring and evaluation plan to determine the effectiveness of these types of contact tracing apps and publicly post the results. The Commissioners have recommended that these results and evaluation measures be reviewed by an independent third party such as a privacy commissioner’s office to help gain public trust in using contact tracing apps such as ABTraceTogether.
Necessity and Proportionality
The Commissioners’ joint statement recommends designing public health measures carefully tailored to affect the specific public health purpose for which they were created, in the least intrusive way possible.
The ABTraceTogether app collects users’ information pursuant to the Health Information Act and the Freedom of Information and Protection of Privacy Act. According to the app’s privacy statement, user’s personal information is collected for the purposes of “health system management and planning, policy development and analysis of the public health emergency.” Information collected is not identifiable to a specific person and the app will only be used for contact tracing during the COVID-19 pandemic. Once the pandemic ceases, users will be prompted to disable the app’s functionality
The Commissioners also stress using legal and technical security safeguards to protect personal information collected. It is recommended that information be de-identified and destroyed when it is no longer necessary.
The Government of Alberta has taken measures to protect the data collected by the ABTraceTogether app. For example, data is collected and maintained in the form of de-identified contact logs and user IDs. Once a user consents to the use of their information, they are issued an anonymized user ID. This user ID is exchanged with other users via Bluetooth as a means of alerting them to possible exposure, without allowing them to access the individually identifying data of other users. User ID’s are also encrypted and can only be decrypted by Alberta Health or Alberta Health Services.
While the principles outlined above have been discussed in the context of contact tracing apps, it is worth noting that these principles apply to the collection, use and disclosure of personal information in a number of industries. As employers begin to invite their employees back into the office work environment they will find themselves tackling the very same issues raised above.
In the private sector, the collection of personal information is governed by the Personal Information Protection Act. Linking the nature of the information collected and whether it reasonably achieves the purpose contemplated at the time of collection has always been a cornerstone of proper data collection. Large scale data collection projects like tracing apps only magnify these existing principles.
The Alberta Information and Privacy Commissioner is currently reviewing the Privacy Impact Assessment of ABTraceTogether and is expected to provide recommendations directly to the Government of Alberta.
For questions related to COVID-19 or privacy law in general please contact Field Law's Privacy + Data Management Group.
1Supporting public health, building public trust: Privacy principles for contact tracing and similar apps- Joint Statement by Federal, Provincial and Territorial Privacy Commissioners (May 7, 2020), https://www.priv.gc.ca/en/opc-news/speeches/2020/s-d_20200507/