South African President, Cyril Ramaphosa, recently called for the use of mobile technology in the process of dealing with COVID-19. Telkom and SAMSUNG responded to the call with their technology. Globally, Apple and Google announced their collaboration to develop a mobile technology-based approach to tracking the spread of COVID-19.
Then there is Microsoft. As one of the latest technology conglomerates to partner with healthcare authorities and providers, researchers, non-profit organizations and governments around the world, they are on a mission to develop solutions for the COVID-19 pandemic.
The mobile technology tracking of COVID-19 has however raised the eyebrows of privacy advocates. Many have indicated that mobile tracking may lead to privacy violations.
However, Microsoft has emphasised the crucial and ethical need to respect people’s privacy.
“Tracking individuals who are infected, tracing those with whom they have recently come into physical contact and making testing available to those contacts may play an important role in managing the next phase of COVID-19 around the world. However, This requires special care, as sensitive data about our location and health status may be involved,” they said in a statement.
To this end, the company has released seven privacy principles which they are promising to uphold, as well as urging governments, public health authorities, academics, employers and industries to consider and implement, as the world collectively moves forward into the next phase of the pandemic:
1. Obtain meaningful consent by being transparent about the reason for collecting data, what data is collected and how long it is kept. Data should only be collected with consent and used in the manner explained when people are making the decision to participate. Clear and user-friendly information serves to help promote voluntary participation and can ensure everyone interacting with the technology is making informed choices to participate in data collection and is aware of the purpose of the data collection, the type of data that will be collected, the time period the data will be held and the benefits of the data collection.
2. Collect data only for public health purposes. The data collected from an individual for purposes of tracing those who have been in physical contact with an infected person and other public health purposes is owned by the individual and should remain under that person’s control. As a general matter, this data should be used by public health authorities only for the articulated public health purposes, and not for unrelated reasons. Public health authorities should provide input regarding the types of data that will be most useful for fighting the pandemic.
3. Collect the minimal amount of data. Data that is collected by public health authorities for public health purposes, such as tracing, should be limited to only the specific data required, and should only be collected and used for the time period identified as necessary by public health experts.
4. Provide choices to individuals about where their data is stored. The data must be wholly in the individual’s control, including allowing the individual to choose where to store this data, such as on a device or in the cloud.
5. Provide appropriate safeguards to secure the data. Reliable security safeguards such as de-identification, encryption, rotating and random identifiers, decentralized identities or similar measures should be in place to protect people’s data from harmful exposure and hacking attempts.
6. Do not share data or health status without consent, and minimise the data shared. An individual’s data or health status shouldn’t be shared with the individual’s contacts or others without securing the individual’s meaningful consent. If such sharing is pursuant to legal requirements, then the sharing should be strictly limited by the scope of the law. When notifying individuals that they may have been in physical contact with an infected person, only share the minimum amount of data necessary to protect against inferences about the identity of the infected person.
7. Delete data as soon as it is no longer needed for the emergency. Individuals own their own data, whether stored on a device, a server or in the cloud. Copies of the data that were transferred to public health authorities and others for tracing and other public health purposes should be deleted when no longer useful for public health purposes, as defined by public health authorities. None of the individual’s information should be retained by the authorities or others for future unrelated uses or purposes.
The principles outlined above are aimed to apply to any Covid-19 technological solutions that involve the collection and use of personal data such as health data, precise geolocation data, proximity or adjacency data, and identifiable contacts.
In the context of the global picture, Microsoft understands the complexities of technological disparity based on race, education and income level, as well as the comfort of people to share such private and personal information. Their ethos is that health-centric programmes and technological solutions should be available and accessible to all.
“Privacy and ethical concerns must be considered as we move forward to use data responsibly to defeat the COVID-19 pandemic,” they said. In this regard, Microsoft has indicated that they are committed to being a constructive, effective and sustainable platform.
