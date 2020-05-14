Much ink has been spilt about Covid-19 tracing apps since the scale of this pandemic became clear. A pattern is emerging. The HSE issues some bland pronouncements about best practice design and, in response, privacy purists warn of an impending Orwellian dystopia. This doesn’t augur well for the uptake of this vital if intrusive tool.

It is vital given its role in preventing the spread of the virus, but intrusive in that it creates a phenomenal new source of sensitive information which state bodies and other organisations could exploit.

Since the optimistic HSE pronouncements in March about having a tracing app ready in ten days, the technology has changed and the scope reduced. On the face of it both of these changes are to be welcomed as they point towards a more achievable design. But the continuing absence of facts is worrying and marketing hype is no substitute for detail.

Until a vaccine is developed, we have just three tools available to combat this epidemic: contact tracing, social distancing and quarantine. And it is contact tracing that is most in need of some technological assistance. The success of a tracing app depends on people having the confidence to download and install it. Today it is hard to see how that confidence is being built.

Already many Irish data protection organisations have written to the HSE calling for dialogue in advance of the release of the app. It appears that no one has received a meaningful response. This stonewalling could be sensible if the HSE had a high chance of success with their project. However, a glance at newspapers in Australia and Britain, where contact tracing apps have already been launched, suggests that public confidence is hard to secure. And it is not just Irish voices calling for dialogue and transparency.

The EU Commission’s recommendations for tracing apps call for “opportunities for the public to interact and participate in discussions”. Its more detailed contact-tracing toolbox goes even further and recommends “the publication/sharing of the source code” to ensure transparency.

Unfortunately, we probably won’t be permitted more detail about this vital app and the data it creates until development is complete. The HSE launch briefing will presumably praise the speed of development and then highlight some aspect of the process involved such as encryption or alignment with DP3T, the data privacy protocol. It will be implied that because the HSE got that single aspect right, the management of the entire solution is trustworthy. In response, we are likely to see an initial surge in downloads of the app as we all hope for a magic bullet to escape from lockdown.

Soon after, however, the various Irish data protection groups, currently being stonewalled, could target the HSE’s claim to have struck the perfect balance between privacy and effectiveness. It won’t be hard to choose some aspect of governance or training or technology and pick holes in the HSE’s story. This will be met by heated assertions that we must sacrifice privacy to save the weak. The fallacy that you have nothing to fear if you have nothing to hide will be rolled out with enthusiasm and extolled on talk radio. This futile debate will undermine public confidence and both downloads and usage of the app will fall away.

If this is the case, we could end up with an avoidable row as groups with off-the-wall agendas and a desire for publicity muscle into the debate. Ordinary people will tune out as a barrage of claims and counter claims generate confusion.

The alternative is for the HSE to take the Commission’s advice, embrace transparency and publish the Data Protection Impact Assessment (DPIA) as the NHS has. DPIAs were developed to communicate data protection risks and are mandatory for this kind of endeavour, so why not publish? It is, after all, an excellent tool to communicate the trade-offs that have been made.

We need to admit that no one has a perfect solution and that this temporary solution may well outlast us all. We can harness the vast pool of goodwill and talent in Ireland to develop a system that we can have faith in. It would be far better for the HSE to have an honest debate now, ahead of launch, than blindly crash into reality afterwards.

Michael Spratt is one of the founders of the European Association of Data Protection Professionals in Ireland and currently chairs the organisation. He is also a consulting partner with DigiTorc, a consultancy working with British and Irish organisations to minimise data protection risk