HSE’s data breach bodes ill for contact tracing app

Approach to data disclosure will not reassure anyone that data ethics is being prioritised

The HSE’s national coronavirus tracing app remains mysterious, even as we inch closer to the end of May or early June point, at which it is supposed to go on limited trial. Photograph: iStock
The HSE’s national coronavirus tracing app remains mysterious, even as we inch closer to the end of May or early June point, at which it is supposed to go on limited trial. Photograph: iStock

We’ve had little concrete information so far about the HSE’s mysterious national coronavirus tracing app, even as we inch closer to the end of May or early June point, at which it is supposed to go on limited trial.

But the HSE’s bumbling ineptitude this week in releasing sensitive Covid-19 test result data to employers, rather than to the affected individual employees, immediately raises further concern about the app and the HSE’s ability to see, much less address, valid ethical concerns about data gathering at population-wide scale.

The excuse offered was that in a health crisis, the General Data Protection Regulation (GDPR) allowed an exemption for shielding such data, even though health data falls into the GDPR's special designation category for ultra-sensitive information requiring extra protection.

It is not exempt, at least, not in in the context of this particular approach, privacy law experts were quick to point out.

READ MORE

Expressed shock

And Graham Doyle, deputy commissioner at the Irish Data Protection Commission (DPC), confirmed that "the DPC cannot see how it can be legitimised that medical test results of this nature would not be communicated in the first instance directly to each individual staff member".

He added that, while it may be necessary to also inform employers, this must be done after the employee is contacted. He said the DPC had received numerous complaints from individuals “who have expressed shock and upset at receiving results via their manager”.

Minister for Health Simon Harris and the HSE initially defended the practice, saying that, in some cases, contact information for individuals was missing, so employers were contacted instead. If so, how strange to defend a large failing with another worrying failing. Personal contact information is, surely, essential.

It beggars belief that a “let’s tell the boss” process was even in place. Forget the GDPR, which is of course important, but really just an adjunct concern here. The burning, obvious, critical issue is the ethics of the situation.

The very idea of going straight to employers with test data should have triggered a screeching alarm somewhere in the HSE, in somebody – and let’s do hope there’s at least one person with the requisite training, skills and mindset? – tasked with thinking about data ethics.

But come on: it does not even require an ethicist to recognise that individuals should not learn they have a potentially fatal health condition from their employer.

To his credit, chief medical officer Dr Tony Holohan was quick to rightly call such actions "a breach of confidentiality, full stop". And, in response to the news that the HSE was to suspend the practice, Minister for Justice Charlie Flanagan tweeted: "Bizarre & unusual conduct by HSE. Rethink welcome." Definitely.

While accepting the need to quickly find individuals who have tested positive and remove them from the workplace, is it that difficult to think of ethical, appropriate, data-respecting work-arounds? Especially as the HSE already has the ability to find the individual employee if it knows the individual’s workplace.

That other solutions never occurred to anybody is distressing, especially in the context of the forthcoming app that will require significant trust and buy-in from the public. The HSE has revealed little of how the app is being designed and developed by Irish company Nearform. It won't reveal the results, if any so far, of required data protection assessments.

Intense pressure

It has said it is producing the app in consultation with the DPC, yet this too seems potentially problematical. The DPC isn’t a consultancy, and users who wish to complain to the DPC about the app might prefer that a neutral data privacy specialist firm have any needed consulting role.

Overall, the inconsiderate approach to data disclosure revealed this week will not reassure anyone that data ethics, much less a solid knowledge of data protection law, is being appropriately prioritised for the needed data gathering and handling during this crisis.

While we can all appreciate the intense pressure the HSE is under right now, and acknowledge its hard work in managing a pandemic so far – better than many other countries’ health services – this incident must force needed reconsideration and change at both HSE and Government level.

Yes, a call has gone out for applications to form a national coronavirus ethics panel, and that’s a welcome step. But how can a national health body, as a general point of responsible operation, not have a data ethicist – or at least, one who is taken seriously and listened to – on board already?

For that matter, why is Ireland nearly alone in the EU in not having an official pan-government role for an ethicist or ethics panel, to consult not just on data gathering and health matters, but for all national policy issues?

For now, let’s hope the HSE starts anew with a fresh, transparent, trust-building ethics-based approach to data handling and – crucially – the forthcoming  app, which many sincerely hope will help us as we slowly emerge into longer-term national pandemic management.