With Prime Minister Justin Trudeau recently indicating the Government of Canada is investigating several smartphone apps and consulting with Apple and Google in respect of contact tracing efforts, digital contact tracing will likely play a critical role in combatting the spread of COVID-19 and preventing a resurgence of the virus once Canada’s economy reopens. The potential adoption of this public health measure, however, has led to greater public concern about increased surveillance and the protection of Canadians’ privacy.
What Is Contact Tracing?
Contact tracing is typically conducted by public health staff. When somebody tests positive for an infection, field workers conduct an interview to determine who they may have been in physical contact with and then set out to notify those individuals about their potential exposure. With many coronavirus transmissions occurring before symptoms appear, however, traditional contract tracing methods are not as effective at stopping the spread.
Digital contract tracing apps, which can either be centralized or decentralized meaning contact history can either be processed by a central authority, or by users on their own phones, seek to automate the traditional contract tracing process. Through bluetooth technology, which allows devices to connect to others nearby, phones can track where, when and for how long they have come into close proximity with other phones. Using that data, contact tracing apps have the capacity to inform users if they have come into contact with someone who has tested positive for COVID-19, and advise them to get tested or self-isolate.
The Privacy Law Implications
While the Canadian federal government has yet to formally adopt or recommend the use of contact tracing apps, certain provinces (Alberta, Newfoundland and Labrador) have already moved towards the use of this technology on a voluntary basis.
As the emergence of new technology to combat COVID-19 continues to permeate the public discourse, federal, provincial and territorial Privacy Commissioners issued a joint statement to Canadians in May regarding the use and implementation of contact-tracing apps given the “important privacy risks” raised by such technology. The Commissioners made clear that use of location data is a specific privacy concern. The Commissioners set out the following principles to be complied within the implementation of contract tracing technology:
Consent and Trust: The use of apps must be voluntary. Trust will also require that governments demonstrate a high level of transparency and accountability.
Legal Authority: The proposed measures must have a clear legal basis and consent must be meaningful.
Necessity and Proportionality: Measures must be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective.
Purpose Limitation: Personal information must be used for its intended public health purpose, and for no other purpose.
De-Identification: De-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose. Consideration should be given to the risk of re-identification, which can be heightened in the case of location data.
Time-Limitation: Exception measures should be time-limited: any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.
Transparency: Governments should be clear about the basis and the terms applicable to exceptional measures. Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed.
Accountability: Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeframe.
Safeguards: Appropriate legal and technical security safeguard, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data, and that the data is not used for any purpose other than its intended health purpose.
This joint statement follows the release of an assessment framework in April by the Office of the Privacy Commissioner of Canada (“OPC”), setting out the same principles set out above, for organizations to ensure that privacy-impactful initiatives to combat COVID-19 remain consistent with the Personal Information Protection and Electronic Documents Act, Canada’s legislation governing private-sector organizations, and the Privacy Act, Canada’s legislation governing federal government departments and agencies.
While the government of Canada and Premiers across the country contemplate the implementation of this technology, the OPC and provincial and territorial privacy regulators appear to be indicating that digital contact tracing efforts should not come at the expense of existing privacy laws and protections in Canada.
This article is intended to provide an overview of privacy issues associated with digital contact tracing apps during the COVID-19 pandemic. With the unprecedented degree of uncertainty and fluidity associated with COVID-19, it is important that organizations continue to monitor requirements and best practices relating to the collection, use, and sharing of personal information to ensure data privacy risk is managed appropriately. We further recommend, due to the unique nature of every organization, that legal counsel be consulted.
At Mills & Mills LLP, our lawyers regularly help clients with a wide range of legal matters including business law, family law, real estate law, estate law, employment law, health law, and tax law. For over 130 years, we have earned a reputation amongst our peers and clients for quality of service and breadth of knowledge. Contact us online or at (416) 863-0125.
 Together with other information disclosed by users (such as their COVID-19 status or test results).