HSE reveals key documents ahead of Covid-19 tracker app
Smartphone app’s Bluetooth function will be used to assist with the contact tracing effort
The Health Service Executive has published the Data Protection Impact Assessment and has also published the source code. Illustration: Getty
The Health Service Executive has published key design and data privacy documents ahead of the launch of its Covid-19 tracker app.
It is anticipated that the smartphone app, which is designed to aid the contact tracing process, will become available in the coming days.
Data protection and civil liberties groups gave a guarded welcome to the publication, commending the HSE and Department of Health for their transparent approach. But they reiterated some concerns over the effectiveness of the app
The documents published include the application’s source code, or its basic computing structure, as well as a Data Protection Impact Assessment, a document analysing the potential data protection risks of a given project.
Read the documents here.
A product explainer and a series of app design and development reports have also been published on the HSE website. The app, which was delayed for several months as it went through design changes, uses a phone’s bluetooth function in order to alert someone if it indicates they have been in close contact with a person who is confirmed to have Covid-19.
The app records if a user is in close contact with someone else who has it installed, by exchanging anonymous codes held on their phones. Those who test positive for Covid-19 will be able to choose if they want to anonymously alert other app users with whom they have been in close contact.
The contact tracing app initially faced opposition from data protection, civil liberties and privacy campaigners, who raised concerns over how data would be stored and processed. There were also issues raised around the technological limitations of the app, and whether it would work on the most popular smartphone models.
These have largely been addressed, after the HSE decided to develop the app on a decentralised basis, meaning data would not be collected and stored centrally by the State but instead would largely remain on users’ phones. Issues around the operation of contact tracing apps were addressed by collaboration with Apple and Google, which developed a platform that allowed them to function on their operating systems.
Some concerns, however, remain over the effectiveness of the Bluetooth technology upon which the contact tracing element is based. Questions have been raised by researchers at Trinity College Dublin over the accuracy and effectiveness of measurements given by Bluetooth especially in crowded settings.
Elizabeth Farries, director of the Irish Council for Civil Liberties (ICCL) information rights programme, said she was pleased the HSE and department had released the documentation prior to launch and encouraged by the department’s engagement with “our expert group in order to encourage diverse views and inputs”.
However, she said she still had concerns over the Bluetooth technology at the core of the app, saying “signal strength is not a reliable means to detect contact with individuals infected with Covid-19”.
TJ McIntyre, chairman of advocacy group Digital Rights Ireland (DRI), welcomed the establishment of an advisory committee which will assess the efficacy of the Covid-19 app, and the inclusion of a “self-destruct” mechanism which will see the app wound down within 90 days if it is deemed ineffective.
HSE chief information officer Fran Thompson said its development was “informed by a robust development and testing programme”. HSE chief executive Paul Reidsaid the app will “be an important part of our testing and tracing measures”.
Mr Reid said it will “augment the existing contact tracing operations by quickly notifying users if they have been a close contact of a confirmed case, enabling users to record symptoms, and providing a trusted source of information about Covid-19”.
The HSE said the processing of data will be limited to the stated purpose for the app. “All personal data that is processed is kept to an absolute minimum. Users can choose to delete the app at any time and have full control over what information they share through the app.”
The Health Service Executive has committed to dismantle the app once the Covid-19 crisis is over.
In a joint statement, the ICCL and DRI said: “We understand the terrible reality of Covid-19 for the population and everyone wants to do everything possible to fight Covid-19. However, to ensure Ireland’s Covid-19 tracker app is effective, respects rights and legality, and adheres to our expert’s principled framework, we encourage the App Advisory Committee to include a member of civil society. The Irish Council for Civil Liberties is available and willing to participate.”
Daragh O’Brien, managing director of consultancy firm Castlebridge, said the level of disclosure “is impressive” and “has to be commended”. “I cannot criticise the structure of it . . . the amount of disclosure of what has been done is a very good benchmark for other public bodies.”
Mr O’Brien said he “would be concerned the functioning and operation of the app may not meet the full set of requirements for consent under GDPR and other alternative bases for processing were available for them to choose without undermining the voluntary basis of the app.” He argued that the fact it has several functions, including symptom tracking, alongside its core contact tracing app, could prove problematic.
The inclusion of multiple functions, he said, goes against advice given by the European Data Protection Board in April, but a rationale is at least presented for this in the Data Privacy Impact Assessment. “They said the purpose of contact tracing apps should be restricted to just contact tracing, and the HSE has defined that to include symptom onset data here.”
The operation of the governance of the application will be a key future test to ensure that only those elements that are effective and necessary remain in use.
In a blogpost, Nearform – which developed the app – said that contact tracing apps “push smartphone technology to its limits”.
“The reality is that all these smartphones were never designed to facilitate contact tracing. Bluetooth technology was not created to enable this kind of communication between devices. Yet, it’s what we have. The technology may not be perfect, but it is effective and available.”