Protecting privacy and fighting COVID-19 pandemic are not mutually exclusive
AIH Technology has joined with Federal and Provincial Governments, researchers and non-profit organizations on our shared mission to address the COVID-19 pandemic.
We have partnered with the University of Waterloo to develop a computer vision-guided high-throughput fever screening technology to help minimize the risks of resurgence of COVID-19. We look forward to offering our available technology stack to support the developments of solutions to help contain the damaging effect of COVID-19 on our communities.
Upholding our duty to protect privacy as we come up with technological solutions will be integral to the success of moving forward collectively as a society. We present these following privacy principles that we recommend for governments, technology partners, public health authorities, academics, employers and various service providers to consider in applying newly developed technologies to address the COVID-19 pandemic.
Here are some important principles to consider:
- Obtain meaningful consent by being transparent about the reason for collecting data, what data is collected, how long it is stored. Data should only be collected with consent and used in the manner explained when people are making the decision to participate. Clear and user-friendly information serves to help promote voluntary participation and can ensure everyone interacting with the technology is making informed choices to participate in data collection and is aware of the purpose of the data collection, the type of data that will be collected, the time period the data will be held and the benefits of the data collection.
- Collect data only for public health purposes. The data collected from an individual for purposes of tracing those who have been in physical contact with an infected person and other public health purposes is owned by the individual and should remain under that person’s control. As a general matter, this data should be used by public health authorities only for the articulated public health purposes, and not for unrelated reasons. Public health authorities should provide input regarding the types of data that will be most useful for fighting the pandemic.
- Collect the minimal amount of data. Data that is collected by public health authorities for public health purposes, such as tracing, should be limited to only the specific data required, and should only be collected and used for the time period identified as necessary by public health experts.
- Provide choices to individuals about where their data is stored. The data must be wholly in the individual’s control, including allowing the individual to choose where to store this data, such as on a device or in the cloud.
- Provide appropriate safeguards to secure the data. Reliable security safeguards such as de-identification, encryption, rotating and random identifiers, decentralized identities or similar measures should be in place to protect people’s data from harmful exposure and hacking attempts.
- Do not share data or health status without consent, and minimize the data shared. An individual’s data or health status shouldn’t be shared with the individual’s contacts or others without securing the individual’s meaningful consent. If such sharing is pursuant to legal requirements, then the sharing should be strictly limited by the scope of the law. When notifying individuals that they may have been in physical contact with an infected person, only share the minimum amount of data necessary to protect against inferences about the identity of the infected person.
- Delete data as soon as it is no longer needed for the emergency. Individuals own their own data, whether stored on a device, a server or in the cloud. Copies of the data that were transferred to public health authorities and others for tracing and other public health purposes should be deleted when no longer useful for public health purposes, as defined by public health authorities. None of the individual’s information should be retained by the authorities or others for future unrelated uses or purposes.
These principles are designed to apply to any COVID-19 technological solutions that involve the collection and use of personal data such as health data. This approach is grounded in the fundamental principle that, for a technology to succeed, the people need to be in control of their own data, and be treated with transparent disclosure on how their data is to be used.