Fighting COVID-19 with an app? The possibilities and pitfalls

The first peak of infections with the coronavirus (COVID-19) seems to be over for the time being. Many organisations are working towards a return to 'normal' life, but how can this be done safely? Can a corona app help with this? Can a corona app avoid a second peak? We list the possibilities and pitfalls.

1. Different types of apps

There's no such thing as “the corona app”. After all, there are different types of corona apps. A first important distinction that has to be made is whether the initiative is taken by the public sector or by the private sector.

1.1. Initiatives by governments

As support for the contact tracing

One way of stopping the spread of infectious viruses, such as the coronavirus, is contact tracing. In contact tracing, contact tracers find out with whom a positively tested person had contact at the time he or she was contagious. In this way, potentially infected persons can be identified and isolated in order to slow down the spread of the virus.

Contact tracing is not new. It has been around for some time in Belgium, for example for tuberculosis infections. However, the coronavirus appears to be so contagious that the capacity of the contact tracing agency is put under pressure. After all, contact tracing takes a lot of time and effort.

The contact tracer will have a conversation with a positive tested person. Such a conversation can take up to an hour, but this could be shortened if the contact persons can be mapped automatically, for example by a corona app. 

Supporting contact tracing could be an objective of initiatives taken by the government.

Open questions

Whatever the purpose of the corona app will be, there are a number of questions that need to be answered.

• Will the installation of the corona app be mandatory?
• Will there always be human intervention from a contact tracer?
• Will citizens' privacy be respected?
• What technology will the corona app use?
• How many citizens will have to use the corona app in order for it to be effective?

The TraceTogether app exists in Singapore. Over the past weeks and months, several European member states have been working on similar apps. However, this turned out to be not always easy. Because of the open questions, a corona app does not seem to be available in every European member state. 

1.2. Initiatives by the private sector

Contact tracing is a task of the government, not the private sector. Initiatives taken by private organisations therefore should have a different purpose.

Possible objectives could be:

• Avoid positively tested employees entering the workplace,
• Prevent potentially infected employees from entering the workplace,
• Identifying potentially infected employees after a positive test from a colleague,
• Prevent employees from becoming infected in the workplace,
• Ensuring that the rules of social distancing are respected.

Without going further into the legal feasibility of these objectives, organisations should ensure that they do not fall into any of the following pitfalls.

2. The most common pitfalls

If your organisation develops a corona app or wishes to use such an app, please note the following pitfalls.

Pitfall 1: unclear objective or purpose. 

The purpose of the corona app is crucial. Without a concrete purpose in mind, there is a high risk that more personal data will be collected and processed than necessary. The purpose will have to be defined in the Data Protection Impact Assessment (DPIA). This is mandatory in certain cases.

Pitfall 2: a mandatory app for employees.

Mandating a corona app to employees poses a number of legal and practical difficulties. Can the employer oblige the employee to take his smartphone with him to work? How will the employer check if an employee has installed the app if it is not a company smartphone? What if an employee refuses to install the app?  

Pitfall 3: a disproportionate app. 

Depending on the purpose of the corona app, a lot of personal data is potentially collected through the app. It is also likely to involve sensitive personal data such as health data or the employee's location data. Health data should not be simply processed, and certainly not shared with other employees. This could stigmatise employees. And will the corona app also collect personal data when the employee is not at work? And how will that be monitored? The question that needs to be asked is whether the same goal can not be achieved by less drastic means. 

Pitfall 4: do not involve the unions. 

This is linked to the pitfalls mentioned above, which will make it far from easy to convince trade unions of a corona app that is disproportionate or mandatory, or that has no specifically defined purpose.

Pitfall 5: thinking that the emergency justifies a breach of GDPR. 

The coronavirus has a major impact on our society, but that does not necessarily mean that it is an emergency situation. If there is an emergency, it is questionable whether a corona app can resolve this situation. Moreover, most supervisory authorities do not seem to consider that there is an emergency situation that would justify a breach of the GDPR.

Pitfall 6: don't think about the future.

If your organisation is developing a corona app, is this app specifically for COVID-19 or can it also be used for other viruses? If your organisation uses a corona app, how long will it be used? When will your organisation decide that use of the corona app is no longer necessary? On the basis of which criteria? What will happen to the personal data collected? How long will they be kept?

Pitfall 7: rushing 

The development of a corona app has to go quickly and that increases the risk of errors and data breaches. A corona app in the Netherlands has shown this. RTL Nieuws was able to retrieve a database with names, e-mail addresses and encrypted passwords in the source code of the Covid19 Alert app. This database came from a linked app. 

3. Carry out a Data Protection Impact Assessment!

Don't fall into any of the pitfalls!

In a number of cases it is mandatory to prepare a Data Protection Impact Assessment (DPIA). This is an in-depth thinking exercise. Your organisation will thus avoid falling into one of the pitfalls. In addition, it is best to document the technical and organisational measures taken to stay one step ahead of cyber criminals.

Corona app from a supplier?

Then check your supplier's homework, because you can't just shift your responsibility to your supplier. If the employer collects and processes employee personal data via a corona app, the employer remains responsible for this.

Do you need help carrying out a DPIA? Or would your organisation like to use a corona app? Contact Timelex.

Read more:

• COVID-19: Can health data be processed? + FAQ
• COVID-19: How cybercriminals benefit from the pandemic