The Office of the Information and Privacy Commissioner of Alberta (OIPC) released a report today on its review of the ABTraceTogether privacy impact assessment (PIA). The PIA was submitted by Alberta Health (AH), and endorsed by Alberta Health Services (AHS), as required by Alberta’s Health Information Act (HIA).
“With the global attention on contact-tracing apps during the COVID-19 pandemic, I prioritized my office’s review of ABTraceTogether and took the additional step of publishing this report in the interests of transparency. While I am not in a position to endorse a particular technology solution, we found Alberta Health was mindful of privacy and security in deploying the app,” said Information and Privacy Commissioner Jill Clayton.
In particular, the review highlighted ABTraceTogether’s clear purpose to supplement already established contract-tracing processes, AH’s consent-based approach, limited collection of health or personal information when registering to use the app, and AH’s efforts to mitigate the risk of secondary use of information collected by the app, specifically for quarantine enforcement.
“Despite the positive aspects, I have ongoing concerns related to the functionality of ABTraceTogether on Apple devices. We recognize the challenges AH has faced in this regard, since the safeguards required are out of its control. Nonetheless, given the need to run ABTraceTogether in the foreground on Apple devices, there is a security risk. Running the app on Apple devices requires a device to remain unlocked, which significantly increases risk in case of theft or loss,” said Clayton.
The risk on Apple devices increases for employers in the public, health and private sectors that have obligations to reasonably safeguard health or personal information under Alberta’s three privacy laws – the Freedom of Information and Protection of Privacy Act, HIA and Personal Information Protection Act.
For employers that provide employees with devices or allow employees to use their own devices for work purposes, and those devices store or otherwise make accessible health or personal information (e.g. email or cloud service portals), the risk for running the app on Apple devices represents a potential contravention for failure to safeguard under Alberta’s privacy laws.
The OIPC accepted the ABTraceTogether PIA with recommendations. Acceptance of the PIA acknowledges that AH has taken reasonable steps to protect privacy. Acceptance is not a waiver or relaxation from legislated requirements.
There were several findings and recommendations in the report. Some recommendations relate to clarifying inconsistencies found between documentation provided during the PIA review and what is made available publicly. The OIPC also recommended AH to continue to report publicly on the use and effectiveness of ABTraceTogether, and on its plans to dismantle the app when the time comes.