Health applications are developed as part of measures considered for the de-escalation phase of the coronavirus confinement. They may serve to study people’s social interactions or be used as health passports to access the workplace, public transport or commercial centres. Devices initially created for health and safety reasons risk of being transformed into tools for monitoring the population if the principles relating to data protection are neglected. There are basic standards that public authorities, private companies or civil society organizations developing applications should respect. Here is a checklist in eight points.
The General Data Protection Regulation (GDPR) provides for a list of principles that will help you to develop your application responsibly. You should take these rules into account at the very beginning of the development process, and not after your application is completed.
Data protection should be implemented by design and by default1, to use the GDPR language. It means that technological choices and their implications for data protection should be taken into consideration in the early stages of development. An application relying on the Bluetooth technology, for example, may be more privacy-friendly than one based on location data.
Determining the appropriate legal basis to process the personal data collected by the application that you are developing should be the first thing that you consider (lawfulness principle2).
If to take into account principally health and location data, three legal bases would allow you to process the data needed to achieve your goal:
- vital interests4; or
- public health5.
We have already discussed the differences between the three legal bases (cf. Health Data in the Time of Coronavirus), but you should keep in mind that the vital interests legal basis and exception apply to a limited number of cases and the public health exception must already be part of the national legislation or would require the passage of a new law.
Consent should be the privileged legal basis when it comes to location data6, and it is also the appropriate basis to process health data in the context of an application relying on personal data to fight the coronavirus.
Processing of personal data must always be based on “freely given”7 consent. It excludes the possibility to make the use of the application compulsory or to penalize those who would refuse to install it. You should also steer away from any guilt speech to persuade people to download the application and register for using it.
Data must be collected for a specified, explicit, and legitimate purpose8, which is in the present case to eradicate the epidemic of Covid-19. The fairness principle9 requires that you use the collected data solely in pursuing that objective. They cannot be used for commercial or any other purposes.
Generally, people should be treated fairly, an obligation tightly connected to respecting individuals’ rights provided for by the GDPR (see below).
Transparency is a fundamental principle in the GDPR10. It must be applied strictly, especially in a time of crisis, to preserve the public trust.
You should be clear and transparent about how personal information will be used. You should state publicly and unequivocally:
- What data are processed (identification, health, location, etc.);
- Why they are processed (clear description of the purpose of the processing);
- Who is processing them (the company or authority that have developed the application, third parties, etc.);
- How they are processed (locally on the phone, through a centralised server, technology used, etc.);
- Who the data will be shared with (other authorities, researchers, etc.).
Data minimisation is among the most important principles of the European data protection legal regime11. It is based primarily on two legal principles: necessity and proportionality.
You must collect only the necessary data needed to achieve the goal of the application and you must demonstrate a substantial connection between the personal data used and the stated purpose.
Processing should not go beyond what is necessary to achieve that objective and you must prefer the least intrusive measures that are appropriate to achieve it.
Data should not be processed for a longer period of time than what is necessary to end the Covid-19 crisis, according to the storage limitation principle12. After the emergency has ended, all data related to the fighting of the epidemic must be securely deleted or destroyed.
Your responsibility does not stop at determining the legal basis to collect personal data, it extends to the complete life of the data. You must take security measures at all stages of the processing13, whether it be the collection, storage, study, transmission or sharing of data.
You must remember the nature of the collected data and realize that there is a risk that they may be used for other purposes in case of a data breach, for example. People may be stigmatised for being or having been infected by the coronavirus. Data may also be used by an insurer to assess risks, by an employer to decide to hire an individual or by an appraiser to determine the value of properties in a neighbourhood particularly affected by the epidemic
You must make sure that the collected data are safe, whether on a person’s smartphone or a server, depending on the technology used. It implies that you take all the necessary measures to ensure the security of the application and the server on which the data are stored. Aggregation, encryption, or pseudonymisation of data may provide the required level of security14.
You should also maintain the confidentiality of the processed data at all times. It includes the obligation to prevent unauthorised or unlawful access to the data. You should restrict access to the data to a limited number of persons.
Data protection is a comprehensive law regime in the European Union, covering most aspect of privacy-related concerns. You must fully comply with all the GDPR requirements. Concretely, you must guarantee individual’s rights, like the right of access15, right to rectification16, right to erasure17, or right to restriction of processing18. You must also provide appropriate remedies in case of disputes.
Your application will make a difference if it is adopted by a substantial part of the population. People will accept to download and use it if they trust that their right to data protection is respected. The development of a system of contact tracing or health data tracking is already a technological challenge, an equal investment on respecting data protection law must be made.
* Une version française de ce texte a été publiée sous le titre Guide pratique pour la protection des données et le développement d’applications de santé.
1 Art. 25 GDPR.
2 Art. 5 (1) (a) GDPR.
3 Art. 6 (1) (a) and 9 (2) (a) GDPR.
4 Art. 6 (1) (d) and 9 (2) (c) GDPR.
5 Art. 9 (2) (i) GDPR.
6 Article 29 Working Party, Opinion 13/2011 on Geolocation Services on Smart Mobile Devices (2011), p. 13.
7 Art. 4 (11) GDPR.
8 Art. 5 (1) (b) GDPR.
9 Art. 5 (1) (a) GDPR.
10 Art. 5 (1) (a) GDPR.
11 Art. 5 (1) (c) GDPR.
12 Art. 5 (1) (e) GDPR.
13 Art. 5 (1) (f) GDPR.
14 Cf. Luk Arbuckle and Khaled El Emam, Anonymizing Health Data – Case studies and methods to get you started, Sebastopol, O’Reilly Media, 2013; and International Organization for Standardization, Health Informatics – Pseudonymization, doc. ISO 25237 (2017).
15 Art. 15 GDPR.
16 Art. 16 GDPR.
17 Art. 17 GDPR.
18 Art. 18 GDPR.