Privacy Guidelines on Use of location data and contact tracing tools in the context of COVID-19 outbreak
ANNEX AT GUIDELINES 04/2020 – CONTACT TRACING APPLICATIONS ANALYSIS GUIDE
SECTION ANNNEX CONTACT TRACING APPLICATIONS ANALYSIS GUIDE
0. Disclaimer
The following guidance is neither prescriptive nor exhaustive, and its sole purpose of this guide is to provide general guidance to designers and implementers of contact tracing applications. Other solutions than the ones described here can be used and can be lawful as long as they comply with the relevant legal framework (i.e. GDPR and the “ePrivacy” Directive). It must also be noted that this guide is of a general nature. Consequently, the recommendations and obligations contained in this document must not be seen as exhaustive. Any assessment must be carried out on a case-by-case basis, and specific applications may require additional measures not included in this guide.
1. Summary
In many Member States stakeholders are considering the use of contact tracing applications to help the population discover whether they have been in contact with a person infected with SARS-Cov-2.
The conditions under which such applications would contribute effectively to the management of the pandemic are not yet established. And these conditions would need to be established prior to any implementation of such an app. Yet, it is relevant to provide guidelines bringing relevant information to development teams upstream, so that the protection of personal data can be guaranteed from the early designstage.
It must be noted that this guide is of a general nature. Consequently, the recommendations and obligations contained in this document must not be seen as exhaustive. Any assessment must be carried out on acase-by-case basis, and specific applications may require additional measures not included in this guide.The purpose of this guide is to provide general guidance to designers and implementers of contact tracing applications. Some criteria might go beyond the strict requirements stemming from the data protection framework. They aim a ensuring the highest level of transparency, in order to favour social acceptance of such contact tracing applications.
To this end, publishers of contact tracing applications should take into account the following criteria:
-
The use of such an application must be strictly voluntary. It may not condition the access to any rights guaranteed by law. Individuals must have full control over their data at all times, and should be able to choose freely to use such an application.
-
Contact tracing applications are likely to result in a high risk to the rights and freedoms of natural persons and to require a data protection impact assessment to be conducted prior to their deployment.
-
Information on the proximity between users of the application can be obtained without locating them. This kind of application does not need, and, hence, should not involve the use of location data.
-
When a user is diagnosed infected with the SARS-Cov-2 virus, only the persons with whom the user has been in close contact within the epidemiologically relevant retention period for contact tracing, should be informed.
-
The operation of this type of application might require, depending on the architecture that is chosen, the use of a centralised server. In such a case and in accordance with the principles of data minimisation and data protection by design, the data processed by the centralised server should be limited to the bare minimum:
-
a) When a user is diagnosed as infected, information regarding its previous close contacts or the identifiers broadcasted by the user’s application can be collected, only with the user’s agreement. A verification method needs to be established that allows asserting that the person is indeed infected without identifying the user. Technically this could be achieved by alerting contacts only following the intervention of a healthcare professional, for example by using a special one-time code.
-
b) The information stored on the central server should neither allow the controller to identify users diagnosed as infected or having been in contact with those users, nor should it allow the inference of contact patterns not needed for the determination of relevant contacts.
-
The operation of this type of application requires to broadcast data that is read by devices ofother users and listening to these broadcasts:
-
c) It is sufficient to exchange pseudonymous identifiers between users’ mobile equipment (computers, tablets, connected watches, etc.), for example by broadcasting them (e.g. via the Bluetooth Low Energy technology).
-
d) Identifiers must be generated using state-of-the-art cryptographic processes.
-
e) Identifiers must be renewed on a regular basis to reduce the risk of physical tracking and linkage attacks.
-
This type of application must be secured to guarantee safe technical processes. In particular:
-
f) The application should not convey to the users information that allows them to infer the identity or the diagnosis of others. The central server must neither identify users, nor infer information about them.
Disclaimer: the above principles are related to the claimed purpose of contact tracing applications, and to this purpose only, which only aim to automatically inform people potentially exposed to the virus (without having to identify them). The operators of the application and its infrastructure may be controlled by the competent supervisory authority. Following all or part of these guidelines is not necessarily sufficient to ensure a full compliance to the data protection framework.
2. Definitions
Contact For a contact tracing application, a contact is a user who has participated in an interaction with a user confirmed to be a carrier of the virus, and whose duration and distance induce a risk of significant exposure to the virus infection. Parameters for duration of exposure and distance between people must be estimated by the health authorities and can be set in the application.
Location data It refers to all data processed in an electronic communications network or by an electronic communications service indicating the geographical position of the terminal equipment of a user of a publicly available electronic communications service (as defined in the e-Privacy Directive), as well as data from potential other sources, relating to:
-
the latitude, longitude or altitude of the terminal equipment;
-
the direction of travel of the user; or
-
the time the location information was recorded.