Several countries are using aggregate or individual data about people to track COVID-19’s spread. A measured, rights-based approach should guide us.

As the COVID-19 pandemic wreaks havoc around the globe, governments are increasingly experimenting with data and technology in their struggle to contain the disease and limit its impacts. This is adding considerable pressure on Canada to do more – and quickly. But privacy rights, framed by concepts of necessity and proportionality, must also shape the responses we take.

In Canada, federal and provincial governments have their own sources of data, including statistical and public health data as well as that generated by the health-care system. But governments have relatively little location and tracking data for individuals. This is in part because they do not normally need such information, but also because constitutional rights to privacy require court authorization for tracking individuals’ activities. Our governments simply do not – and should not – routinely collect such data.

However, the private sector operates under different rules. Collecting location data is essential to providing some services; for others, it isn’t essential, but profitable, and weak data protection laws have allowed widespread collection and sharing of location data via mobile apps. Individuals ostensibly consent to such practices through privacy policies that are overly long, complex, and subject to unilateral change. In many instances, we are unaware of the quantity or quality of location data collected by apps and devices, or of how many different companies are collecting – and sharing – this data. The result is vast stores of location data in the hands of companies, often without subjects having a clear sense of what has been collected or by whom. As we continue to tap into the benefits of the Internet of Things, other rich and often sensitive data about ourselves – collected from our cars, digital personal assistants, smart appliances, and fitness trackers – make us increasingly transparent to opaque corporations.

Can governments tap into these stores of private-sector data? Should they? These are separate questions, and if the answers differ, it’s because our laws have allowed private sector collection and use of personal data to consistently erode privacy and human rights.

That said, in a time of crisis, we tend to focus pragmatically on what can be done within the boundaries of the law. If the data already exists, should we not use it to serve the broader public interest?

Data about people in the aggregate may be highly relevant and useful, and some companies seem willing to share such data with governments to use in mapping outbreaks and modelling the spread of the COVID-19 virus. The U.S. government, for example, is said to be in talks with major platform companies about sharing aggregate data. Several European countries are also reportedly using aggregate data from telcos to better understand the spread of infection or patterns of movement of the population.

Plans of this kind are afoot in Canada as well. Data protection laws do not prevent the sharing of aggregate data, although care must be taken to ensure it’s properly de-identified. Location information, with other available data, is particularly useful to identify specific individuals and must therefore be treated with caution. But if appropriate care is taken, in consultation with federal or provincial privacy commissioners, the use of aggregate and de-identified data should pose relatively few legal problems.

A girl holds a smartphone with TraceCovid app in Rotterdam, the Netherlands on April 7, 2020. Photo by Robin Utrecht/ABACAPRESS.COM

By contrast, data protection laws limit the circumstances in which government institutions can collect personally identifiable information. Most require direct collection from the individual, with certain exceptions. Private-sector data protection laws also limit organizations sharing their data (including with governments) without consent, although there are many exceptions. Those include emergencies, where an individual’s life is at risk; or, where a specific law permits data sharing. Thus, governments could enact emergency legislation requiring information sharing, although they would be wise to also enact provisions that ensure this information is used only for exceptional circumstances identified in the law, and retained only so long as is necessary.

One way or another, governments could, in an emergency, compel the private sector to share data – for example, for contact-tracing purposes. Once a person is known to be infected, their recent movements could be tracked to identify possible contacts to self-isolate to limit further spread of the disease. Israel and South Korea have gone this route. This kind of use of data is much more privacy-invasive. Appropriate safeguards and oversight are required – as the Supreme Court of Israel recently reminded the Israeli government.

Data and technologies used to track individuals are far more problematic. Taiwan, Singapore, and Poland, for example, are reportedly using apps that collect location data to ensure that individuals with COVID-19 remain in quarantine. Such apps may include regular report-in requirements – complete with additional geolocation data – to prevent individuals from evading quarantine by turning off phones or leaving them at home. Hong Kong uses a GPS-enabled wearable device for similar monitoring purposes.

Such tracking measures are inherently privacy-invasive. A law enabling tracking for public health purposes would have to hold up to constitutional scrutiny, but might be justified on the basis that it applies to individuals who present a real threat to the population if they evade quarantine. However, in a context – Ontario, for example – where many people with symptoms are not even tested, it might be disproportionate to subject the subset that is tested to the equivalent of monitored house arrest, while symptomatic but untested individuals voluntarily self-isolate. Such distinctions might even discourage those with mild-to-moderate symptoms from seeking testing (assuming it is even available).

Singapore and South Korea have also, controversially, publicized very loosely de-identified personal information, including detailed location data, about people who have tested positive for COVID-19. Concerned members of the public can search these data to see if they have been in specific areas at the same time as infected persons. But the program raises concerns about privacy and vigilantism.

In an era of data-driven technological innovation, demands that this be used to combat the spread of COVID-19 aren’t surprising. Some tech tools seem superficially attractive, belying the costs to privacy and human rights. Canadian federal and provincial privacy commissioners can offer crucial guidance to policy-makers on working within the boundaries of existing law, or on designing emergency measures that are balanced and time-limited. Careful journalism and civil society are also crucial to exposing and measuring solutions that threaten fundamental social values.

Privacy is no barrier to solutions to pandemic problems; however, privacy rights, framed by concepts of necessity and proportionality can – and should – shape data-driven responses.

This article is part of the The Coronavirus Pandemic: Canada’s Response special feature.

Photo: Shutterstock, by elenabsl.