As political leaders and public health experts look to both stem the spread of COVID-19 and work towards economic recovery, the use of contact tracing for those testing positive for the novel coronavirus has come to the forefront. While he praised the idea of contact tracing, Sen. Ed Markey, D-Mass., urged Vice President Mike Pence to data privacy at the forefront of any policy decisions.
Contact tracing involves identifying and contacting anyone who may have come into contact with someone who tested positive with COVID-19. One way of implementing contact tracing is via a smartphone app and Bluetooth technology.
In an April 22 letter, Markey urged Pence to “design and implement a comprehensive strategy for COVID-19 contact tracing in the United States,” saying that “contact tracing is an essential component of a sound response to the public health crisis we face today.” However, he said that the Federal government must provide “leadership, coordination, and guidance to ensure that contact tracing efforts are effective and do not infringe upon individuals’ civil liberties, including the right to privacy.”
To that end, Markey offered up principles the Federal government should consider when designing policy. The policies related to data management and privacy protection are:
- Voluntary Participation: “Any technology-assisted effort to leverage individuals’ sensitive information for contact tracing purposes should take place on an “opt-in” basis. For example, entities conducting contact tracing should not directly coerce individuals into sharing their sensitive information through a smartphone application. Nor should they indirectly coerce individuals to participate in technology-assisted data sharing by conditioning access to public benefits or services on consent to invasive surveillance.”
- Transparency: “Any entities that collect or process individuals’ information for contact tracing purposes should provide easily accessible, clear, and comprehensive information about their data collection or processing. Entities involved in contact tracing should take all reasonable steps to allow Congress, the public, and experts to review and scrutinize their data practices and ensure that all necessary privacy and security measures are in place.”
- Data Minimization and Retention Limitations: “Contact tracing efforts should collect only the information from individuals that is absolutely essential to achieve specific, evidence-based, pre-determined public health objectives. These initiatives should store collected information in forms that preserve individuals’ privacy and ensure that anonymized information cannot be re-linked to an individual. As soon as a contact tracing program’s objectives have been achieved, the program should immediately cease. Termination of these programs should involve responsible data destruction practices that preserve users’ privacy and avoid any future unapproved data use.”
- Data Use Limitations: “Any entities that collect data for contact tracing related to the COVID-19 pandemic should exclusively use that data to achieve specific, evidence-based, pre-determined health objectives related to combatting the current public health crisis. These entities should take special care to avoid data processing that could result in discriminatory outcomes, and under no circumstances should entities involved in data collection for contact tracing use this information for unrelated purposes, including, especially, commercial purposes.”
- Data Security: “Contact tracing efforts should avoid centralized storage of information and should utilize reliable security methods to prevent unauthorized or inappropriate data access.”