The Office of the Privacy Commissioner has released a statement regarding the handling of contact tracing data collected due to the ongoing Covid-19 pandemic.
The statement from the Privacy Commissioner said, “The current Covid-19 public health crisis has necessitated the collection and usage of data on individuals’ locations and interactions to facilitate a process called contact tracing.
“The United States’ Centers for Disease Control and Prevention [CDC] describes contact tracing as a decades-old ‘key strategy for preventing further spread of Covid-19.’ Whatever practices undertaken as part of our public health response, organisations also recognise the need to protect the rights of individuals, as described in the Personal Information Protection Act 2016 [PIPA].
“For example, in the Government of Bermuda’s Guidance for Outdoor Dining, restaurants and bars have been directed to collect and maintain data for the purposes of contact tracing, such as their customers’ date and time of visit, full name, address, phone number, and email address.
“Organisations may be unsure about how to approach their responsibility to comply with theses directions and maintain individuals’ privacy. Here are a few frequently asked questions:
“What right do I have to collect this data?
“PIPA establishes certain conditions for processing personal information—in other words, to collect or otherwise use personal information, you must meet at least one of these conditions. At present, the collection of contact tracing data is required by Government regulations, so as long as Emergency Powers remain in effect this collection would fall under PIPA Section 6[1][d]: “the use of the personal information is pursuant to a provision of law that authorises or requires such use.”
“What should I do with the information I collect?
“First, recall that the purpose for collecting the data is for contact tracing by public health or authorised officials. Business owners or other independent individuals should not undertake contact tracing or location tracking themselves. This data is to be collected only in case of future need and only for use by authorised officials.
“PIPA requires any organisation that collects or uses personal information to take such actions as to adopt suitable and reasonable measures, act in a fair and lawful manner, use only proportional information, maintain information’s integrity, and implement security safeguards to protect it. In practice, this means organisations should:
- Document policies and procedures for how you will collect and store the data [PIPA Section 5, “Responsibility and compliance”];
- Obey legal requirements and also clearly explain to individuals what actions you are taking and why [PIPA Section 8, “Fairness”];
- Do not collect extra or unneeded information [PIPA Section 11, “Proportionality”];
- Ensure the information you collect and store is accurate and kept for no longer than it is needed to meet its purpose [PIPA Section 12, “Integrity of personal information”]; and
- Protect the information against loss, or accidental misuse, or other unauthorised use [PIPA Section 13, “Security safeguards”]. Security measures may include storing the information in a locked safe or container and protecting electronic information using passwords. Access to the information should be limited to individuals who need to have the information to perform their jobs.
“What else may I do with the information I collect for contact tracing?
“Information collected for one purpose may not be used for another purpose without the consent of the individual or another exception. This rule is described in PIPA Section 10, “Purpose limitation.” It means that you cannot use information collected for Government-mandated contact tracing for any other purpose, including marketing, customer research, or personal use.
“You may seek an additional permission from the individual to use the data for an additional purpose, so long as the new purpose is clearly explained and the individual’s consent is validly obtained. The mechanisms for consent are described in PIPA Section 6[2][A] as “clear, prominent, easily understandable, [and] accessible.”
“What should I do if I have more questions?
“Like many other organisations, the staff of the Office of the Privacy Commissioner will be working remotely as a default first option for the near future, practicing socializing-at-a-distance. However, we will still be available to consult with the community on privacy topics and to meet in person by appointment if absolutely necessary and with appropriate safeguards in place. Please do not hesitate to reach out if we can be of assistance answering questions about privacy rights or how an organisation can put those rights into effect.
“Working together, we can ensure that we meet the challenges of this crisis while respecting the importance of individuals’ privacy.”