Privacy review of the COVID Alert exposure notification application
On June 11th, 2020, the Government of Canada informed the Office of the Privacy Commissioner of Canada (OPC) of its intent to make available to Canadians a single national COVID-19 exposure notification application (app), based on Google/Apple technology.
This was followed on June 19th with a Privacy Assessment conducted by Health Canada of the app’s design against the principles found in the joint statement issued by federal, provincial and territorial Privacy Commissioners on May 7th, 2020, Supporting public health, building public trust: Privacy principles for contact tracing and similar apps.
Subsequent to receiving this Privacy Assessment, the OPC had several communications, verbally and in writing, with federal government officials.
On July 10th, we made preliminary recommendations to the Government of Canada, a number of which were accepted. Where relevant, we discuss in this paper the government’s response to our preliminary recommendations.
Given that the app is being positioned as a national initiative, the OPC also communicated with provincial and territorial Privacy Commissioners.
The Government of Ontario has said it would encourage use of the application in the province. Therefore, the OPC has worked closely with the Office of the Information and Privacy Commissioner of Ontario (IPC) to develop consistent recommendations.
The following is our review of the privacy implications of the exposure notification app. This review was informed by the comments and feedback of other provincial and territorial privacy commissioners.
We note that our review of the app is based on the information provided to us to date, and is without prejudice to any complaints we may receive about the operation of the app. Any changes to the app’s functionality will require further analysis.
We have based our analysis on the principles outlined in the joint federal, provincial and territorial (FPT) statement.
Key points
A key principle of the FPT statement requires that the government demonstrate the necessity and proportionality of the measure, including a demonstration of the app’s effectiveness.
Respect for this principle must be assessed in context, and the relevant context here includes the fact that COVID-19 is a novel and deadly coronavirus, affecting millions of people worldwide, and that the proposed technology, as a measure to augment the capacity of governments to manually trace the spread of a virus, is also new.
While the technology is untested, many have commented that low adoption rates abroad and other factors mean the effectiveness of the approach is uncertain. This may well be true, but we (like the World Health OrganizationFootnote 1 and a number of data protection authorities around the worldFootnote 2) believe that an exposure notification app such as the one proposed by the Government of Canada could, as part of a wider set of measures including manual contact tracing, play a useful role in reducing the spread of the virus. This is in part by alerting individuals of the possibility they may have been in proximity to a person diagnosed with COVID-19 and encouraging them to be tested.
We note that in response to our question on the scientific basis for the app, Health Canada confirmed its view that the app is likely to be effective in achieving its intended purposes. However, because this is uncertain, we recommended that the government closely monitor and evaluate the app’s effectiveness once it is used, and decommission it if effectiveness cannot be demonstrated.
In response to these preliminary recommendations, the government indicated it is taking note of international experiences with similar approaches and technologies, and it will work in full transparency with Canadians in regard to the operation of the app. The following steps will be adopted:
- an External Advisory Council will provide expert advice on the implementation of the app to implicated federal, provincial and territorial Deputy Ministers;
- The Government of Canada will seriously consider any advice received from the Advisory Council regarding the decommissioning of the app;
- Health Canada has begun work to create a framework to define and measure the app’s effectiveness, and how to link benchmarks to an ongoing analysis of whether the app continues to meet the necessity and proportionality principle; and
- Health Canada will invite the OPC to participate in a joint audit of the app, starting in the fourth quarter of 2020, that will include in its mandate the ongoing analysis of the app’s effectiveness.
Another important principle in the FPT statement is that de-identified data should be used whenever possible. A related principle is the adoption of appropriate legal and technical safeguards to ensure non-authorized parties do not access the data.
On this point, we are satisfied that exceptionally strong measures have been adopted by the government to ensure that the identity of users is protected and not disclosed to the Government of Canada. Experts generally agree that there is no such thing as zero risk of the re-identification of de-identified data, but here, in light of the security and other safeguards adopted, the risk of re-identification is very low.
We note that at the provincial level, participating provinces will be required to distribute one-time codes to users of the app who have tested positive, which allows them to share their exposure notification information from the app with other users in a de-identified fashion. Certain individuals at the provincial level will be aware that an individual has received a positive test-result, but we understand that individuals will not have access to the exposure notification information.
We come next to the principle of transparency. We note that the government has referred interested stakeholders to documents published by Google, Apple and Shopify, notably source codes, for an understanding of how the app would work. These documents are useful for those with a fairly high level of understanding of computer science, but not easily understood by others.
Health Canada has also explained to us in significant detail the security and other safeguards designed to protect the identity and privacy of users. This is now part of an updated Privacy Notice received on July 22nd and of a revised Privacy Assessment received on July 27th.
In our view, Health Canada and the Government of Canada have taken significant steps in line with the transparency principle.
Significantly, the FPT statement includes the principle that in order for the application to be trusted, the app’s use must be voluntary and therefore based on meaningful consent.
The language upon which consent will be sought consists of a Privacy Notice and notifications during the sign up process. When individuals download the COVID Alert app, they are provided with an overview of how the app works. This information is written in clear and accessible language. However, in the context of our engagement and as we elaborate in the review below, we recommended changes to some language, which was, in our opinion, not accurate and therefore would not result in meaningful consent. Health Canada and the Government of Canada have accepted our recommendation. Therefore, we are of the view that the information presented to users will result in meaningful consent.
Trust and ensuring that use is voluntary also require that the app, as stated in the Privacy Assessment, not be used for “any purpose beyond allowing users to identify whether they have been exposed to the virus and thus take appropriate steps to further reduce the spread.”
We note that other countries have taken measures to prevent anyone from being compelled to use a contact tracing or exposure notification app. In Australia, it is an offence for an organization or a government agency to require individuals to download or use the app.Footnote 3 In France, the app is to be voluntary, with legal obligations placed upon state health officials to assure confidentiality of medical information.Footnote 4 Finally, Switzerland’s legislation adopted to provide a statutory basis for the app, states that use of the app must remain voluntary and individuals who choose to not use the app cannot be disadvantaged by any authorities, enterprises or other individuals.Footnote 5
In Canada, it is unclear whether the law would prohibit organizations from seeking information residing in the app, including whether the user has received an exposure notification, as a condition of service. In our view, it is another failing of our current laws that voluntariness and purpose limitation cannot be enforced clearly with measures such as those adopted in other countries.
When asked what it would do to ensure organizations do not circumvent the voluntary nature of the app, the Government of Canada committed to providing messaging to the effect that individuals should not be required to use the app, or to disclose information about their use of the app. It also responded that it will work with the private sector to provide guidance on national economic measures (related to the reopening of the economy) amid the pandemic. While these are welcomed measures that would mitigate risks to voluntariness and purpose limitation, they do not eliminate that risk. Still, the principles of voluntariness and purpose limitation are respected as they relate to the two governments.
Finally, the FPT statement requires governments to be accountable, notably by making public their ongoing monitoring of the effectiveness of the initiative and by allowing an independent third party, such as privacy commissioners, to review the implementation of the app.
The Government of Canada has now made commitments that would meet the FPT statement’s accountability principle. With respect to independent oversight, in response to our preliminary recommendation to allow our Office to play an oversight role in assessing the app against the FPT principles, Health Canada indicated that it welcomed the opportunity to conduct a joint audit with our office, the mandate of which will include the ongoing analysis of necessity and proportionality, and an assessment of respect for the FPT principles in the design and implementation of the app. Our office has therefore concluded that with these steps, the Government of Canada is meeting the FPT statement’s accountability principle.
Initiative summary
The Government of Canada is launching a national COVID-19 exposure notification app, called the COVID Alert app, as part of the effort to reduce the spread of the COVID-19 virus and to reopen the economy. The app is designed to be interoperable across the Canadian provinces and territories (PT). To date, Ontario is the only province that has publicly committed to deploying the app but we understand that discussions between the federal government and PT governments are ongoing.
Health Canada’s Privacy Assessment outlines the design and functions of the COVID Alert app and will be publicly available. The app’s design includes several key characteristics. For instance, the information shared between phones and the servers is a series of numbers that on their own do not identify individuals themselves. The app also has strong measures to protect the identity of users, making the risk that individuals can be re-identified very low. The app operates by connecting with a federal server, which in turn must interact with provincial or territorial systems. We understand that at this point, the app will only interact with one provincial interface, the Ontario Lab Results, but that other interfaces may be added in the future. The federal layer may interact with more than one provincial or territorial system, depending on how provinces and territories deliver COVID-19 results and one-time codes to users. However, Health Canada indicated that those would be the same interaction technologically, with the same security protections.
Privacy principles
Consent and trust
The Federal, Provincial, and Territorial (FPT) Privacy Commissioners’ Joint Statement indicates that to build public trust, the app must be voluntary. Meaningful consent is a key component of voluntariness.
As mentioned, the language upon which consent will be sought consists of a Privacy Notice and notifications during the sign up process. When individuals download the COVID Alert app, they are provided, through these notifications, with an overview of how the app works. This information is written in clear and accessible language. However, in the course of our review, we noted an element in the Notice and notifications which, in our opinion, was not accurate, and therefore would not result in meaningful consent. This was the claim that data collected by the app was “private and anonymous”. We believed this did not appropriately describe the risk of re-identification, although very low. True anonymity, technically speaking, would require the complete and permanent impossibility of reversing the data processes at play, which could reveal sources of personal information and so re-identify individuals.Footnote 6 Put another way, in order for data to be rendered truly anonymous, it must be stripped of any and all potential linkages back to individuals.Footnote 7
Our understanding of the situation is that while the identification of users would be highly improbable, it would not be impossible. Hence, use of the app should not be characterized as entirely anonymous. Personal data is being de-identified, at certain points, and users rendered pseudonymous, at certain points, but such techniques across the system should not be described as offering anonymity.
We recommended all references to anonymity be removed from the Privacy Notice and notifications during the sign up process. We note that Health Canada and the Government of Canada accepted our recommendation and removed those references.
Legal authority
Health Canada cited s. 4 of the Department of Health Act as its authority to operate the app. We agree that this provides a sufficient legal basis for the initiative.
The Privacy Assessment affirms that COVID Alert does not collect any personal information, which suggests that the federal Privacy Act does not apply. This is because, according to the Government of Canada, the app relies on random codes and there is no “serious possibility” that an individual could be identified from the data elements, either alone, or in combination with other information.Footnote 8
This deserves a pause. While it is not necessary for the purpose of this review to opine on the validity of the government’s assertion, which may be correct at law, it bears noting that an app, described worldwide as extremely privacy sensitive and the subject of reasoned concern for the future of democratic values, is defended by the Government of Canada as not subject to its privacy laws. This is again cause for modernizing our laws so that they effectively protect Canadian citizens. The design of this app is generally privacy sensitive, but does it mean it should be exempt from the law’s purview? What legal remedies would citizens have if good design were to be inappropriately implemented?
We note that in its consultation papers on a possible reform of the Privacy Act, the Department of Justice says the following in relation to de-identified information:
“The current “in or out” approach to personal information does not accommodate more nuanced rules that may be organized around different levels of risk and foster compliance. Defining de-identified, anonymized, and pseudonymized information could support the development of new compliance incentives, allow for a more targeted and nuanced application of certain rules, and assist to ease some of the difficulties of practical application that arise under the current approach.”Footnote 9
We agree that a more nuanced approach is desirable and our recommendations to the Department of Justice included the following:
- The Act should recognize that re-identification of personal information is always a possibility, depending on the context.
- The Act should define de-identified information to allow for a more targeted and nuanced application of certain rules. For instance, while de-identified information might be exempted from certain provisions of the Privacy Act, or their application nuanced, other provisions would continue to apply; de-identified information should not be completely carved out.
Recommendation: These recommendations are directly relevant to the present context and we would further recommend that similar amendments be considered to the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Privacy Assessment further indicates that, “Nevertheless, should a different conclusion be reached regarding the assessment of whether any data element could be considered personal information, all requirements of the Privacy Act and Treasury Board of Canada Secretariat (TBS) Privacy Policies have been met in order to ensure user privacy is protected.” Here the government is saying that even if in its view the Privacy Act does not apply, it will act as if the Act applied and all its requirements will be met. However, when asked whether certain specific rights enacted by the Privacy Act would apply, such as the right of access and protection from certain disclosures, Health Canada said no because the initiative does not involve the collection of personal information. Consequently, without a confirmation that all Privacy Act and TBS policy requirements are met, we believe the statement could be confusing and could give false assurances to Canadians.
Recommendation: Health Canada should remove from the Privacy Assessment and any other documentation references indicating that the Government of Canada complies with the Privacy Act and with TBS policies on privacy.
The federal government is responsible for the delivery of health care for numerous groups, including First Nations people living on reserves, Inuit, serving members of the Canadian Armed Forces and eligible veterans and some refugee claimants. We understand the Government of Canada has not yet determined how to onboard these groups. Further, Health Canada has identified vulnerable populations, including seniors, marginalized individuals, people without cell coverage, and First Nations, Inuit, and Métis, who may benefit from targeted outreach strategies and/or support. Although the Government of Canada has committed to conducting further privacy analysis and engaging with our Office, we have not received any further details on the Government of Canada’s approach.
Recommendation: The Government of Canada should clarify what measures it intends to put in place to expand the app to the groups who receive health care services from the federal government. The federal government should also put measures in place to reach out to vulnerable communities and update their Privacy Assessment with these details.
Necessity and proportionality
In the Privacy Assessment and in follow-up analysis, Health Canada explained that offering Canadians the option of using an exposure notification app is part of the Government of Canada’s larger response to address the COVID-19 virus. Along with other prevention measures, the COVID Alert app is intended to reduce the spread of the virus by notifying Canadians of potential exposures and by encouraging them to take appropriate actions (e.g. being tested, adjusting their behaviour). When asked to confirm that making the app available for use by Canadians had a scientific basis, Health Canada stated its view that the app will likely be effective in achieving its defined purposes. We also note the views of the World Health Organization that “digital proximity tracking applications can only be effective in terms of providing data to help with the COVID-19 response when they are fully integrated into an existing public health system and national pandemic response. Such a system would need to include health services personnel, testing services and the manual contact tracing infrastructure.”Footnote 10 Additionally, while the level of uptake for the COVID Alert app remains hard to predict, we note that a study by epidemiologists from Oxford University found that any level of uptake could have a positive impact. In fact, the researchers stated that based on their simulation, “one infection will be averted for every one to two users.”Footnote 11
As indicated in the Key Points section, the necessity and proportionality principle must be assessed in context. While exposure notification apps are new and untested, we believe that in context, the governments of Canada and Ontario have sufficiently demonstrated that COVID Alert is likely to be effective in reducing the spread of the virus, as part of a larger set of measures and subject to close monitoring for effectiveness once the app is in use. The relevant context includes the fact that COVID-19 is novel, has resulted in hundreds of thousands of deaths worldwide, and therefore requires consideration of new mitigation responses with reasonable prospects of success.
The Privacy Assessment states that the effectiveness of the app will be closely monitored and assessed and that the Government of Canada will work with an Advisory Council to address any issues as they arise with respect to public health outcomes, technology, accessibility and privacy. While, the version of the Terms of Reference of the Advisory Council that our Office reviewed do not explicitly refer to effectiveness, the Government confirmed that the Advisory Council will assess the app’s effectiveness. The Government will regularly engage with the OPC on the Advisory Council’s work and advice. Our Office recommended that, in line with the FPT Joint Statement, the Government of Canada decommission the app if its effectiveness cannot be demonstrated. In response, the Government has indicated that it will seriously consider any advice received from the Advisory Council regarding the operation and decommissioning of the app.
The Government of Canada has committed to a further mechanism that will include participation of the OPC in a joint audit of the app, thus adding a form of independent oversight. The joint audit will include as part of its mandate the ongoing analysis of necessity and proportionality based on a framework and benchmarks being developed by Health Canada with the advice of public health epidemiology experts. The joint audit, to begin in the fourth quarter of 2020, will also include an assessment of respect for the principles of the FPT Joint Statement in the design and implementation of the app.
Health Canada also asserts that the COVID Alert app will be beneficial to all Canadians, regardless of whether their province or territory of residence has on-boarded. When asked what would be the specific benefits of the app for a resident of a province or territory whose government has not adopted the technology, the Government of Canada explained that the app could help permit safe interprovincial travels, which are to increase as Canada’s economy reopens. For example, if somebody in a participating jurisdiction travels to another province/territory that is not yet participating, and subsequently tests positive for COVID-19, users in that jurisdiction can still be notified of potential exposure.
Finally, we note that while developing the COVID Alert app, the Government of Canada has made a conscientious effort to minimize the information required for the app to operate.
Recommendation: Health Canada should make a commitment that the app will be decommissioned if the app is shown not to be effective.
Purpose limitation
Health Canada has established a clear and limited purpose for the COVID Alert app: to reduce the spread of the virus by notifying users of potential exposures so they can take appropriate actions.
That said, we note that the Privacy Assessment mentions the possibility of new uses or disclosures of data, such as adding anonymous diagnostic data to the app to help measure its public adoption, but only with consent. In response to our questions, we were informed that the Government is not actively pursuing new uses for the data generated by COVID Alert at this time. Additionally, the Government of Canada has committed to consulting with the OPC in advance of implementing any new uses or disclosures.
While we are of the view that the purpose limitation has been satisfied as it relates to the Government of Canada and the Government of Ontario, we note that there is a risk that third parties, including private sector companies, may seek to compel individuals to use the app or to provide information from the app for other purposes than to inform them of possible exposures. In response to our preliminary recommendation that the Government of Canada strongly discourage such practices, a commitment was added to the draft Memorandum of Understanding (MOU) between the Government of Canada and the Province of Ontario indicating that in its area of responsibility, Canada will provide messaging to the effect that individuals should not be required to use the app, or to disclose information about their use of the app. We note that at the time of issuing our review document to Health Canada, the MOU had not yet been signed.
Such a commitment will mitigate, but not eliminate, the stated risk to voluntariness and purpose limitation, and in our view, discouraging third parties to circumvent these principles is a minimum. We also note that other countries have legislated to prohibit such practices. Ultimately, the law should be amended to make these principles enforceable against third parties.
Similarly, several commercial entities will be able to determine whether individuals have downloaded and used the app. These entities should not be permitted to monitor their customers’ use of the COVID Alert app.
Recommendation: As part of the reform of PIPEDA that the government announced in the Prime Minister’s mandate letters, federal law should be amended to make enforceable against third parties the voluntariness and purpose limitation principles.
De-identification
The Privacy Assessment and Annex A: List of Data COVID Alert App Data indicate that the Government of Canada has taken strong actions to prevent users’ identities from becoming known to other users, the federal, provincial and territorial governments or malicious hackers. In the course of our review, we posed many questions to the Government about the safeguards in place to limit the risk of re-identification. We observed that the COVID Alert app contains important and very strong measures to protect users’ identity. For example, the app does not collect or disclose any information that would directly identify the user. All the data in use and at rest is being protected by exceptionally strong encryption techniques and cryptographic hashing functions. Further, the contact matching process takes place on the phone, with no personal data leaving the phone at any time.
We note, however, that there are situations where the risk is higher, even if still low due to the adoption of strong safeguards. For instance, IP addresses accompany attempts to verify one-time codes to the server. The server retains the user’s IP address for 60 minutes if the one-time code is not valid; this retention is meant to help prevent fraudulent uses of one-time codes. In addition, system logs will retain users’ IP address every time there is a request made to the server (one-time code verification, diagnosis key upload, etc.) for up to three months in normal conditions. In the event of suspicious activity, the system will retain a user’s IP address for up to two years. In this scenario, we understand that the relevant system logs may be shared with law enforcement agencies to facilitate an investigation. These security features present a risk of re-identification because, when combined with other information, IP addresses can be used to identify individuals. But, again, due to the adoption of strong safeguards, we believe the risk of identification is low. The Government of Canada indicated to our Office that access to these logs is restricted to authorized users who are bound by security obligations to protect this information and not to access or use it for nefarious purposes.
Time limitation
We note that while in operation, the app limits the retention of information: Temporary Exposure Keys are deleted on the device after 14 days.
In addition, Health Canada has established parameters for the period of time that the COVID Alert app will remain in operation. Health Canada committed to shutting down the app – which will erase the random numbers shared between phones and deleting any data stored on the Government of Canada’s servers – within 30 days after the pandemic is declared over. Although the pandemic could last a long time, Health Canada has committed to knowable and clear time periods in which the app will remain in use and for the retention of the data collected by the app.
Transparency
Health Canada and the Government of Canada have taken significant steps in line with the transparency principle. It has agreed to make the full Privacy Assessment publicly available. We also note that Health Canada and the Government of Canada have made a real and genuine effort to provide our Office with the necessary documentation and analysis to complete our review. In addition, the revised Privacy Assessment sent to our Office on July 7th included the additional information requested by our Office in the course of our engagement. Finally, the Government has made some technical information publicly available via GitHub and, as indicated earlier, has referred interested stakeholders to documents published by Google, Apple and Shopify.
In addition to looking at the design of the app and how it interacts with the federal servers, we reviewed publicly available information about the API designed by Google and Apple. However, we were not able to review the entire API code, which is not publicly available. A thorough evaluation of the surrounding technical ecosystem in which the app operates is beyond the reach of this review. We are aware of concerns related to this uncertainty about the environment in which the app and API interact.
Recommendation: The Government of Canada should continually monitor and assess the potential risks related to the Google and Apple operating systems in relation to COVID Alert. To maintain the same level of transparency, the Government of Canada should communicate to the public any potential new privacy risk related to that component of the COVID Alert app.
Accountability
The accountability principle in the FPT Joint Statement emphasizes the importance of oversight by an independent third party to reinforce public trust. Other countries have followed this approach, including Australia.Footnote 12 Similarly, the Canadian Institute for Advanced Research (CIFAR)’s Expert Group on Society, Technology and Ethics in a Pandemic, established at the request of Canada’s Chief Science Advisor, stated that public trust will be reinforced by a pandemic legal framework and independent oversight mechanisms that can report publicly and in real time around the effectiveness and impacts of technology. The Expert Group also recommended that privacy commissioners be empowered to provide oversight and auditing for the deployment of digital contact tracing initiatives.
Our Office offered to play this oversight role by conducting an audit one month after the launch of the app, and on a regular defined period thereafter. In response to our preliminary recommendation, Health Canada initially indicated that it will engage our Office to discuss options to “strengthen the independent oversight of the initiative” while being mindful of the needs and interests of provincial and territorial collaborators and privacy oversight institutions. Health Canada later confirmed that it welcomed the opportunity to conduct a joint audit with our office, to begin in the fourth quarter of 2020.The audit will include in its mandate an assessment of respect for the FPT principles in the design and implementation of the app, including an ongoing analysis of the app’s effectiveness under the necessity and proportionality principle. Health Canada also offered to provide our office with regular reports related to uptake, feedback on functionality, and the work of the Advisory Council.
The FPT Joint Statement’s accountability principle includes the idea that governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeline. For the COVID Alert app, the Government of Canada indicated that it will be supported and guided by an External Advisory Council. In response to our preliminary recommendations, Health Canada clarified that, “The Advisory Council will provide reports to implicated federal, provincial and territorial Deputy Ministers on a regular basis. Except for matters related to the security of the app itself, the Advisory Council’s work will be transparent to the public.” Health Canada later confirmed that the work of the Advisory Council will be made publicly available.
Safeguards
Based on our review of the documentation provided to our Office, we believe the COVID Alert app has very strong safeguards in place. For instance, data at rest and in transit are encrypted using strong encryption methods. The one-time code process also relies on one of the strongest cryptographic hashing functions, and supports an anti-spam mechanism to ensure that fake diagnosis keys are not accidentally or maliciously uploaded. In addition, access to data on the CDS server is limited to staff with a “need-to-know” role.
In the course of our review, we received a lot of information and clarification on the interaction between the federal layer and the provincial system. We have reviewed draft versions of the MOU between the Government of Canada and the Province of Ontario. We note the MOU includes rigorous privacy clauses, including that the Government of Canada will be using a “privacy-first approach”, that the app does not collect or use location data and that the information transmitted by the app is designed to protect the user’s identity or location. The Government of Canada also commits in the agreement not to use the data it collects to identify or attempt to identify users unless for security purposes or when required by law, and to ensure the same of its service providers. The MOU includes requirements for Ontario to protect the one-time codes, to limit their retention and to delete them once they have been obtained by app users. Additionally, the MOU requires Ontario to have security measures in place to address the potential vulnerabilities around the process by which users are given their one time code following a positive COVID-19 result. Finally, the MOU states that the app will be decommissioned within 30 days after the Chief Public Health Officer of Canada declares the pandemic over and that all data will be deleted from Canada’s server, except for those related to active security incident investigations, within this period.
Recommendation: The Government of Canada should ensure that the MOU with the Government of Ontario sets out the necessary safeguards that both governments need to implement to protect the privacy of users and the security of information throughout the app ecosystem.
The Privacy Assessment notes that Amazon Web Services will provide the underlying cloud infrastructure that hosts the server. Amazon Web Services were procured through existing Shared Services Canada cloud framework agreement. Our preliminary assessment of this agreement suggests measures are in place to protect the information stored in the server. However, considering the complexity of the agreement and our limited time for review, we reserve the right to further review this agreement as part of the Government of Canada’s broader cloud-first strategy.
Conclusion
Having reviewed the documentation provided by the Government of Canada to date, we are satisfied that the design of the COVID Alert exposure notification app meets all the privacy principles outlined in the joint FPT statement.
We believe that in context, the governments of Canada and Ontario have sufficiently demonstrated that COVID Alert is likely to be effective in reducing the spread of the virus, as part of a larger set of measures and subject to close monitoring for effectiveness once the app is in use.
Regarding independent oversight under the accountability principle, the Government of Canada is working towards creating a framework and benchmarks to measure the effectiveness of the app, which will form part of the mandate of a joint audit in which our Office is invited to participate. This audit will also assess the respect for the principles detailed in the joint FPT statement of the design and implementation of the app.
While using the app is voluntary and the purpose limitation principle is satisfied as it relates to the governments of Canada and Ontario, it is possible that third parties may seek to compel use of the app or access to information in the app as a condition of service or employment. We welcome the fact that governments will discourage third parties from circumventing the voluntariness of the app and its single purpose, but we see this as a minimum step that should be taken to reinforce these key features of the app. Ultimately, the law should be amended to make these principles enforceable.
Nevertheless, Canadians who choose to use the app can do so knowing it includes very significant privacy protections. While experts generally agree that there is no such thing as zero risk of the re-identification of de-identified data, we are satisfied that exceptionally strong technical security safeguards have been put in place.
As noted, in our view, the Government of Canada has taken significant steps in line with the transparency principle. Also key for the application to generate trust, users need to provide meaningful consent. There, the Government has integrated our recommendations to the Privacy Notice and notifications during the sign up process.
To further enhance the privacy of Canadians using this exposure notification app, we encourage the Government to adopt the recommendations contained in this review.
- Date modified: