Developers of LGUs’ Contact-Tracing Apps Enjoined to Act as Privacy Watchers
Software teams developing COVID-19 contact-tracing apps for local government units (LGUs) are advised to incorporate a privacy-by-design (PbD) approach and allow users to opt in and out of digital contact tracing.
The recommendations are provided by the Data Security and Compliance Office of the National Privacy Commission (NPC). The NPC is currently conducting compliance checks on LGUs’ contact-tracing apps being implemented in provinces, cities, municipalities, and barangays.
Privacy by design
Privacy Commissioner Raymund Enriquez Liboro enjoined software development teams to “act as privacy watchers and create applications and systems where users’ data privacy is protected at every level.”
“Build security into contact-tracing apps by adopting best privacy practices, such as transparency on how the data is used, collecting only necessary details and having proper disposal mechanism,” Liboro added.
- Modeling. Comprehend the application from end to end, describing or defining the personal data flows of the developing application.
- Method. Understand and implement clearly the methods in determining the models and personal data flows of the system.
- Definition. Define the terms, processes and how all the data link together. Definitions will provide a better understanding of the processes and data in developing the application.
- Analysis. Analyze all the information gathered from modeling, method, and definition and determine ways of developing the application that embed PbD and preserve privacy.
Recommended measures also include following secure coding and design principles, and the conduct of essential software testing.
Encrypt all network communications between the app and the backend. Use transport layer encryption to encrypt data in transit when communicating over mobile and Wi-Fi networks.
Software development teams should keep in mind that not all users are tech savvy. Consider an intuitive and easy-to-navigate onboarding user experience or UX that displays the overview of the app and its privacy notice.
The privacy notice contains the identity of the personal information controller, service description (list of all services that the app provides), personal data that are processed, collection methods, timing of collection, purposes for processing, storage and transmission of personal information, methods of use, location of personal information, third party transfer, retention period, participation of data subjects, and inquiries.
The NPC also advised software development teams to protect themselves against threats.
“Attackers often target software developers, system administrators and development platforms because they may have the system passwords, sensitive credentials, access to source code and access rights to sensitive assets,” Liboro added.
Proper consent mechanism
Apps must allow users to opt in and out of digital contact tracing. Use of the app must be voluntary, with data subjects allowed to withdraw consent at any time. Opting out must not lead to negative consequences for the user.
When different purposes exist in the app, there must be a separate consent and purpose must be explained beforehand to users (e.g. the use of anonymized data for pandemic and epidemiology research and development purposes).
Ensure that users can exercise their data privacy rights by providing user controls in the initial onboarding and during the use of the app. User control can be in the form of a dedicated privacy control panel or dashboard.
Make the contact tracing app’s system access explicit, especially when it tries to access sensitive capabilities of the user’s mobile device (e.g. storage or microphone). When making a permission request, the app must disclose what it is accessing.
Define and set where personal data are stored. Put in place strict policies and safeguards to restrict the location points of the digital personal data processed by the contact tracing app.
To prevent the data from being retrieved or the data subjects re-identified, delete and dispose of the personal data securely when the primary purpose for processing has already expired and there is no other legal basis (like law enforcement) to keep the contact or case details for a period longer than the existence of the pandemic.
Before implementing the app, business, system and process owners, or developers should conduct a privacy impact assessment (PIA) to identify data privacy and security risks.