Limited functionality available
More than six months into the COVID-19 outbreak and we are continuing to see governments and private sector organisations invest heavily in the development of contact tracing applications. As part of the response to the pandemic, these applications can be important tools in tracking an infected individual’s contact with others and can assist in managing the spread of the virus.
While there’s no doubt that many things need to be done well for a contact tracing application to achieve desired outcomes, one key prerequisite for success is getting privacy right. The Office of the Australian Information Commissioner’s recent Australian Community Attitudes to Privacy Survey 2020 produced a number of insights that highlight the importance of privacy to the community and the kinds of privacy issues that many individuals are increasingly concerned about due to the pandemic, such as the protection of location information. Application developers need to have the right privacy measures in place to address these kinds of concerns and build public confidence so that significant uptake is achieved and the management of community health is supported without disproportionately affecting privacy.
At a minimum, getting privacy right for a contact tracing application should mean that developers:
Applying the data minimisation principle
The data minimisation principle requires that only personal information that is necessary is collected and retained. It is a principle that is reflected in many privacy regulations around the world, including within the Australian Privacy Principles.
In developing a contact tracing application, applying the data minimisation principle involves assessing the specific kinds of information collected and the parameters of collection against the purposes of the application. This should result in the streamlining of data processing so that unnecessary privacy risks that can arise due to excessive data retention are avoided. For example, every contact tracing application will need to collect some form of information that reveals an individual’s proximity to an infected person, for the purpose of identifying a heightened risk of infection. Applying the data minimisation principle should see careful consideration of the specific information that is necessary to effectively achieve this purpose.
Some developers have sought to rely on location data to track the movements of individuals and determine their risk of exposure to the virus. Location data, however, does not only potentially reveal an individual’s proximity to an exposed person, but also that individual’s geographic location in the world. For many applications, this information is likely to be more than what is reasonably necessary for the purposes of contact tracing and carries with it additional privacy risks given the potential consequences of misuse. For other developers, proximity data collected via Bluetooth has been seen as a more suitable alternative to location data. This information, revealing the proximity between two devices over a period of time, is less intrusive, and is the basis for the contact tracing solution developed jointly by Apple and Google that is being used in a number of leading applications around the world.
Building trust through transparency
Application developers should be transparent about the application’s processing of personal information, and should clearly inform individuals of how their information is handled throughout the information lifecycle. This should include:
Being as transparent as possible assists in building trust, which is key to uptake. Additional transparency measures, such as outlining the information that will not be collected and the purposes for which collected information will not be used, can be particularly beneficial steps that can be taken to address privacy concerns and allow individuals to make informed choices.
Implementing a meaningful process to embed privacy by design
Transparency measures and data minimisation should follow if the right process is in place to embed privacy into the design of the application.
Key solution design decisions should not be made in isolation and only reactively assessed for privacy risks. Rather, application features should be collaboratively built with privacy in mind, and privacy risks should be iteratively assessed through a privacy impact assessment so that they are substantively addressed in the application design stage. Embedding privacy by design should also involve establishing security measures to protect personal information throughout the lifecycle, including encryption, access controls, and audit logs.
Data minimisation, transparency, and a meaningful approach to privacy by design will produce a contact tracing application that has the right privacy measures in place necessary for the application to have a positive impact on the community, without disproportionately affecting privacy. While a contact tracing application alone won’t eliminate risk, it can play an important part in managing community health and still meet basic privacy requirements.
 Office of the Australian Information Commissioner, The Australian Community Attitudes to Privacy Survey 2020, September 2020.
 Apple Inc., “Privacy-Preserving Contact Tracing,” accessed October 2020.