HSE chief executive Paul Reid
Pic: RollingNews.ie
HSE server will delete user IP address on tracker app
The HSE has published a data protection impact assessment for its COVID-19 tracker app.
Key documents on the app, including the source code, have been made public, as well as a detailed Product Explainer.
Rolling identifiers
The app works by recording if an opted-in user is in close contact with another user, by exchanging ‘anonymous rolling identifiers’ between mobile phones.
The HSE says the app will augment the existing testing and tracing operation and enable the notification of close contacts that are unknown to each other.
HSE chief executive Paul Reid (pictured) said: “The app will augment the existing contact tracing operations by quickly notifying users if they have been a close contact of a confirmed case, enabling users to record symptoms, and providing a trusted source of information about COVID-19.”
Diagnosis keys
Every two hours on Android, and every four hours on iPhone, the latest diagnosis keys from the HSE Registry will be downloaded by every user’s phone.
These will be used to check for matches against the identifiers that have been collected by the phone.
For the system to work, the Apple/Google exposure notifications settings must be turned on.
Anonymous user metric data will be collected and sent to the HSE, Department of Health, and public health teams.
Metric
Metric data is used to create aggregate views of how the app is being used and the impact it is having on the virus.
The HSE says the publication move is part of an ongoing commitment to openness and transparency around the app’s development.
The DPIA for the COVID-19 tracker app has been finalised on the basis of feedback from the Attorney General’s office and from the Office of the Data Protection Commissioner.
The app enables contact tracing to notify a user as quickly as possible if they have been in close and sustained contact with someone who has tested positive.
Functionality
Other functionality includes a check-in to record and upload health symptoms, without revealing one’s identity, to the HSE on a daily basis.
Health symptoms such as fever, cough, shortness of breath as well as personal data such as sex, age, county and town will also be collated.
Users’ Internet Protocol (IP) address is also transferred to HSE servers. Under data protection law an IP address is generally regarded as personal data.
Servers
However, the HSE says that while personal data transmitted between the app and its servers, it will not use an IP address to identify a user.
The documents say that the IP address is removed at the ‘front door’ of the HSE servers and any information shared is stripped of the IP address and cannot be linked back to the user.
The legal basis for the processing of the data is consent – namely Article 6(1)(a) of the GDPR.
A governance commitment is in place to dismantle the operation of the app once the COVID-19 crisis is over.
Application performance interface
Testing showed that the app was able to accurately detect 72% of close contacts using the Google/Apple application performance interface, which allows computer systems to talk to each other.
84% of the population aged 16+ own a smartphone in Ireland.
Researchers say 82% of Irish adults are willing to download a contact tracing app to their smartphone to curb the COVID-19 pandemic.
The EU has agreed guidelines to support the achievement of cross-border interoperability between tracing apps using a de-centralised architecture.
Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland