Sitra’s statement on the deployment of a COVID-19 tracking application
Digital solutions for tracking chains of infection enable a society to recover from the coronavirus crisis more rapidly and efficiently. A tracking application that takes privacy and information security into account can be a systematic tool to help manage the pandemic.
Statement issued on 5 May 2020.
The Finnish Innovation Fund Sitra’s statement for the Ministry of Social Affairs and Health on the deployment of an application for tracking close contact to help manage the COVID-19 epidemic
A mobile application is an appropriate solution for tracking chains of infection
The Ministry of Social Affairs and Health’s memorandum introduces a mobile application to help track infectious diseases and break chains of infection. Sitra considers this an appropriate method for tracking chains of infection.
Digital solutions for tracking the pandemic’s chains of infection enable a society to recover from the crisis quicker and more efficiently. As the restrictions are lifted, the number of infections will unavoidably grow. The focus will shift to more widespread testing and the tracking of positive cases.
Sitra believes that the information security of individuals is important in the planning and emphasises that a secure application that has been planned sufficiently well is a great tool to help track chains of infection. The application will have an impact if it has enough users and the chains can be revealed. It is a systematic tool for quickly revealing chains and it will make the work of trackers easier. The best time for releasing an application is at the same time as restrictions are lifted. There is a risk of losing valuable time with every day spent resolving the sharing of responsibilities and legal details.
If widely adopted, the application could reach a major section of the population faster and thus help manage the coronavirus locally and nationally.
Protection of personal data and privacy
Questions of protecting privacy and personal data have been appropriately considered in the proposal. Sitra wishes to emphasise the need to protect privacy – it is a basic premise in everything and the basis for people’s trust. It is important to create a mechanism for ensuring that applications fulfil the necessary requirements for data protection and information security. In our view, the described system implements the two-phase consent of the Ketju application, which meets the requirement of informed consent detailed in the GDPR (General Data Protection Regulation).
Identified amendments to legislation are sufficient
Sitra is of the opinion that the amendments to legislation identified in the memorandum are sufficient. However, Sitra notes that after the two-phase consent in accordance with the GDPR, there still remains the question of whether the register is to be administered by the competent authority. The Communicable Diseases Act, especially sections 20 to 24, define the duties and rights of people and of authorities in the case of a pandemic.
The competent authority, as defined in the Communicable Diseases Act, is the Finnish Institute for Health and Welfare (THL), which has the right and the duty to maintain a Communicable Diseases Register. The law also authorises THL to start a temporary disease register for the duration of a pandemic. An infected person has a duty to report to the authorities the details of any contact they have had with others before the infection. This is in accordance with the hybrid model of the Ketju application, which employs a distributed system that stores only a minimum amount of data on phones. In practice, the data comprises the phone numbers of people met, in encrypted form.
Therefore, Sitra considers that no amendments to legislation are required and that the process can continue on the basis of two-phase consent and the authority conferred on THL, as well as on municipal authorities and hospital districts, by the Communicable Diseases Act.
Possible specific proposals for amending regulations
In Sitra’s view, the Communicable Diseases Act in itself offers sufficient rights and duties for continuing without delay and that there is no need to amend regulations.
Application mainly benefits three parties
According to Sitra, an application benefits in particular the competent authorities in tracking chains of infection quickly and efficiently. Other automated tools, such as automated phone calls for contacting those exposed to risk, should also be utilised.
Other beneficiaries are hospital districts and municipalities because an application will provide them with information regarding chains of infection in their area quickly and efficiently.
The third group of beneficiaries are people themselves, who are informed quickly about any potential coronavirus infection and can then take the necessary measures.
Possible risks related to the application’s preparation and deployment
Losing valuable time in the preparation phase poses a risk from both health and financial points of view. We contend that it would be most efficient to grant the competent authority a mandate to proceed as quickly as possible.
We do not see a role for KELA in making the operation run more smoothly in this phase.
Shared European practices and compatible information sharing protocols are important
It is important to note that the efficient management of the current pandemic, as well as possible future pandemics, requires methods that are shared at the European level, at the very least, and compatible protocols for sharing information and communicating within and between countries. Therefore, it is important that applications across Europe share high levels of compatibility and that any implemented solutions ensure that the requirements of consent management are taken into account as early as the architectural stages.
For the last two years, Sitra has been building a consent-based framework that is in accordance with GDPR regulations. A European pre-standard of the framework is already available on the website of CEN – The European Committee for Standardization. Digital solutions that comply with the IHAN operating model respect people’s privacy, are based on trust and, with the consent of the individual, enable combining data from several different sources.
Making the tracking process and application more efficient must be done without delay because the pandemic’s waves of infection will continue and keeping the coronavirus under control will pose a challenge until a vaccination is available.
The pandemic reveals development needs in operations as well as the IT administration that support them. The lessons learned should be adopted. Technology and applications by themselves have little impact if it is not ensured that we have sufficient resources for the entire “test, isolate, track and treat” process as well as the skills required for the new operating model.