POSITIVE PRACTICES
- Responses involving government use of personal data are developed through broad public consultations and administered openly and transparently.[1]
- Participation in COVID-19 responses involving government use of personal data is voluntary and non-participation does not carry negative consequences.
- Collection, use, sharing, storage, and processing (including algorithmic processing) of personal data is limited to what is strictly necessary to respond to COVID-19, based on determinations by privacy and public health experts.
- Governments use personal data only with adequate safeguards, including anonymization, secure storage, and limitation of access to persons and purposes necessary to carrying out effective COVID-19 responses.
- Governments regularly assess the effectiveness of the use of surveillance technology as part of COVID-19 responses.
- Public-private partnerships and public procurements relating to collection, use, sharing, storage, and processing of personal data are subject to open procurement and transparent reporting standards, and are entered into only after conducting due diligence and human rights impact assessments.
- Use of personal data for other commercial or law enforcement purposes, including enforcement of immigration policies, is strictly prohibited.
- Responses involving government use of personal data are implemented only for the duration of the COVID-19 crisis, with data collected or processed for these responses separately stored or flagged and erased thereafter.[2]
EXAMPLES
- In Australia, authorities have released an app which permits users to notify authorities if they test positive for COVID-19, with other users who have had close contact with infected persons then notified by health authorities. Use of the app is voluntary, declining to use the app cannot result in denial of services, data stored on-device is subject to regular deletion, only health workers can access data stored off-device and then only with user permission, and the source code for the app has been publicly released.
[1] As described above, these responses must also be lawful and subject to robust legislative and judicial oversight.
[2] Some anonymized data may justifiably be retained for historical and research purposes, in the public interest.