NPC PHE BULLETIN No. 8: On COVID-19 -related apps, digital tools and solutions in this time of pandemic
April 20, 2020 | 11:34 AM GMT+0800 Last Edit: May 12, 2020
The National Privacy Commission (NPC) supports the successful use of digital technologies and the processing of personal data to enable health authorities contain the COVID-19 pandemic, in a manner that is effective and preserves and protects the data privacy rights of individuals.
For COVD-19 related apps to be successful , these must be inclusive and trusted. Therefore, efforts should be geared not only towards its rapid deployment but also in ensuring that the widest segment of the population with their devices can avail of these apps and that data quality is achieved. To be effective, such solutions must be trustworthy and acceptable for individual users to use with confidence so that users will share information without fear of misuse or discrimination.
COVID-19 related apps can only achieve the desired level of uptake if it is clear about its legitimate purpose, is transparent on how it uses personal data and proportional in its collection. The App must not over-collect personal information from users and collect only what is necessary for the purpose.
From the design stage, personal information controllers (PICs) must make sure that the app is solidly built on a legitimate purpose – making sure that it is limited to and consistent with the objective of helping defeat the COVID-19 pandemic. Thus, the app’s design, functionalities, personal data collection and extent of processing must never deviate from this purpose. Once the purpose is achieved, personal data processing must stop, while the collected and generated personal data must be disposed or discarded in a secure manner to prevent any further use. In doing so, breach-related privacy risks are minimized, thus enabling user trust and adoption by the general public.
The personal data to be collected and the manner of processing must be moderated with the principle of proportionality. This means PICs must collect only the minimum data necessary to achieve the declared and specific purpose, using the least intrusive method.
PICs must also ensure transparency by telling individual users, through an easy-to-understand privacy notice, how the app or digital solution will collect, use, store, and dispose their personal data. Users must also be made aware to whom, if any, shall their personal data be disclosed incidental to the processing.
Considering the inherent vulnerability of personal data processing over the internet and in anticipation of the latest cyber threats, PICs must also ensure that appropriate security measures are identified and implemented. PICs are also expected to inform users of their data subject rights and incorporate mechanisms to easily exercise them.