COVID-19 app passed privacy assessment, commissioner says

A privacy assessment was carried out on a new COVID contact-tracing app, the Information and Data Protection Commissioner has confirmed, over doubts raised on a health ministry app’s privacy safeguards.

Commissioner Saviour Cachia said a data protection impact assessment was submitted to the IDPC before government’s COVID-19 contact tracing app was launched.

Cachia said that on the basis of a legal and technical analysis, the app was given a favourable option to go live, saying the data controller had “mitigated any possible risks which with the appropriate measures.”

The health ministry’s COVID-19 contact tracing app was launched last week, with well over 60,000 downloads in the first week. Six people who tested positive over the past week had downloaded the app and were given a code to input in the system.

Cachia said that the IDPC had analysed overall technical framework and specifications, and that these had ensure the controller was implementing the necessary data protection principles during development.

“We made sure to check that the app developer had adopted the appropriate legal basis, securing any processing of data using the necessary technical measures, providing the necessary information to users, ensuring that the use of the app will be on a voluntary basis, providing reasonable retention periods and adopting a data protection by design and default approach,” he said.

The new COVID-19 app does not use geolocation data that can track users’ movements, and only sends data to the health ministry once a user who is COVID-19 positive inputs a code given to them by the health authorities.

The COVID Alert Malta app notifies users who could be at risk of having been exposed to the virus when COVID-19 positive users input the code.

The app only determines that contact with someone COVID-positive when both people have downloaded the app and came into close proximity to each other. The app sends out a Bluetooth signal with a secret code that is always being changed, randomly, and on a continuous basis. When two app users are in close proximity, their phones mutually store the other’s code, registering the event, how long it lasted, and the approximate distance between the devices.

Exposure must have taken place for more than 15 minutes at a distance of less than 2 metres.

When a COVID-positive users is provided with the code that they voluntarily input in the app, this broadcasts cryptographic keys to a server: those keys allow the system to track all the codes broadcast from the ‘COVID-positive’ smartphone, to those phones they came in contact with.

The secret codes and a decentralised data processing make the Superintendent of Public Health unable to identify the smartphone users. The app does not collect any identity data such as name, date of birth, address, telephone number, or email address.

Importantly, all data – whether stored on the device or on the server – is deleted when no longer relevant, “and certainly no later than 21 days after transfer between app and server”, the developers say.