Nova Scotia recently became the eighth province to onboard the federal government's COVID-19 exposure notification application, joining Ontario, Newfoundland and Labrador, New Brunswick, Saskatchewan, Quebec, Manitoba, and Prince Edward Island. COVID Alert provides iOS and Android users with the ability to be notified if their device (i.e., smartphone) comes in close proximity of someone who later tests positive for COVID-19. Public health officials believe that if it is widely used across Canada, COVID Alert has the potential to provide a quick and efficient way of tracing the virus, thereby limiting its spread. However, the introduction of this tracking technology into the national COVID-19 response presents new privacy issues for Canadians to consider.
How COVID Alert Works
COVID Alert employs Bluetooth technology to determine when two App users come within close proximity of each other (i.e., closer than two metres apart for more than fifteen minutes). Instead of relying on GPS, the App uses proximity tracking (which measures signal strength) to determine whether two devices were close enough for the virus to have spread between their users. Running in the background of a user's cell phone, COVID Alert generates randomized codes on a user's device. These codes are then exchanged with other phones operating COVID Alert (every five minutes) when the users come into close proximity with each other.
Participating provinces will be required to distribute one-time keys to COVID Alert users who have tested positive. If someone using the App is diagnosed with COVID-19, they can then choose to upload the random codes sent from their phone. Once the key is entered into the App, it notifies other users who were in close proximity of their possible exposure to the virus. Users receiving the exposure notification will not know the infected user's name, nor when or where they were exposed.
Unfortunately, there is no guarantee the infected individual will enter the code promptly or even at all. For example, a recent report from CTV News suggests that only 5% of confirmed COVID-19 cases in Ontario used the App to report their infections. Other COVID Alert users who have tested positive for coronavirus have raised concerns that they were unable to get a one-time key to enter their results into the App.
COVID Alert & Privacy Considerations
While the use of COVID Alert is voluntary and is intended for the limited purpose of reducing the spread of the virus, the federal government has stressed that the App has been developed with applicable privacy law in mind to ensure that individuals' rights are respected.
For example, by relying on Bluetooth instead of GPS, the government claims the App has no way of knowing the user's location, name, address, health information, or time and place of coming into contact with an infected individual. The randomized codes are also de-identified from the user, then encrypted and stored on the user's device for 14 days before being deleted.
In addition, Health Canada has committed to shutting down COVID Alert within 30 days of the end of the pandemic. This includes the deletion of any data stored on the federal government's servers, such as the number of one-time positive codes used, and erasure of the randomized codes from user devices.
The Office of the Privacy Commissioner of Canada (OPC) has also confirmed their satisfaction with the design of COVID Alert, and that it meets all of the privacy principles outlined in the May 2020 joint statement issued by federal, provincial, and territorial Privacy Commissioners regarding privacy principles for contact tracing and similar apps. The OPC is also providing oversight by conducting regular audits of COVID Alert following its launch.
In May, the World Health Organization (WHO) published guidelines for countries considering the use of proximity tracking technology during the pandemic. In these guidelines, WHO highlighted the need for laws, policies and oversight mechanisms, including legislation, to ensure data generated through proximity tracking technologies (like COVID Alert) is strictly limited in its collection, use, and eventual destruction when the pandemic ends.
Despite these recommendations, the Government of Canada maintains that the App is exempt from the operation of the federal Privacy Act. Federal government representatives have stated that since COVID Alert does not collect information about an identifiable individual as defined in the legislation, no personal information is gathered by the App that would trigger its application. However, in its review of the App, the OPC cautioned that without the formal application of privacy laws, individuals have no legal recourse against any unlawful use or disclosure of the data collected.
Unless the federal government guarantees the protection of users' data, it could be susceptible to uses outside of the App's mandated purpose (and be at risk to a data breach or other cybersecurity incident).
Health Canada currently reports that more than four million Canadians have downloaded the App since its launch in late July. Various studies have estimated that tools like COVID Alert would need a participation rate anywhere from 15% to 60% to be effective.
If Canadians are going to feel secure using COVID Alert on the scale required to effectively trace the coronavirus, stronger privacy protections (and related messaging) are warranted regarding the regulation, use, and disclosure of the information collected by proximity tracking technology – especially once the pandemic ends. Privacy legislation in Canada must reflect the new reality brought on by COVID-19 in order to properly balance public health with individual privacy rights. While the federal government has made efforts to ensure user data is safe today, more needs to be done to protect it tomorrow.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.