On May 1, 2020, the Province of Alberta launched ABTraceTogether, an Android and iOS compatible contact tracing app users voluntarily download for tracing and notifying users who may have been exposed to COVID-19. ABTraceTogether is used by Alberta Health and Alberta Health Services (AHS) to supplement manual contact tracing completed by public health officials.  ABTraceTogether was announced just prior to the issuance in May 2020 of joint guidance by the federal and provincial privacy commissioners regarding the use of contact tracing apps against COVID-19.

On June 18, 2020, following on Alberta’s launch and the joint guidance, the Canadian federal government has now announced plans to introduce a Canada-wide contact tracing app. The government-sponsored apps and privacy commissioner guidance provide important direction to the development and use of contact tracing in the private sector.

ABTraceTogether App

ABTraceTogether uses Bluetooth technology to maintain, within each individual user’s mobile device, an anonymous log of other app users with whom the device user has been in contact. Specifically, mobile devices exchange Bluetooth-enabled secure encrypted tokens when another device containing the app is detected nearby. The Bluetooth proximity data that is collected and logged is anonymized and encrypted, and does not reveal users’ identity.

Alberta residents who test positive for COVID-19 are asked if they already use the ABTraceTogether app, and if so whether they are willing to provide their encounter logs so that other users with whom they have been in close contact may be notified.  The app applies the definition of “close contact” used by AHS, which is approximately within two meters, for contact tracers to determine whether a user has had probable exposure to COVID-19.  To measure distance, information about the phone model and the signal strength recorded is collected and stored. The app also uses successive communications between devices to estimate the duration of the encounter.

Users are able to upload and share with AHS their encounter logs from the app for the preceding 21 days.  If based on a user’s activity, the user may have been exposed to COVID-19, an AHS contact tracer will use the contact information registered with the ABTraceTogether app to notify the user of their risk of exposure.

In announcing the steps taken to address privacy concerns, the government of Alberta provided information regarding the privacy functionality and protections provided by the app, which include:

  • Geolocation data is not collected (i.e., the information retrieved will not be able to identify where a user has been, such as city or address); rather, the app works on the basis of relative physical proximity.
  • The Bluetooth exchange ID log data collected is stored locally within the device in an encrypted form. This data cannot be accessed by AHS unless a user chooses to upload it as a result of being diagnosed with COVID-19. Log data includes an encrypted temporary ID, phone model, and Bluetooth strength indicators. 
  • Mobile numbers and other personal information are not revealed to other apps. Only temporary IDs are exchanged between devices, and these IDs change regularly.
  • Deleting the app halts the collection of logs by the device and all data associated with or generated by contact with the app will automatically be deleted from all mobile devices after 21 days, including the user’s device and the devices of other users who were in proximity to the user who deleted the app.
  • Users can also request to have their phone number removed from the registration system by sending an email to an AHS email address.  This step renders meaningless all data that the device has exchanged with other phones, because that data is no longer be associated with the user. 

The government of Alberta has published an ABTraceTogether privacy statement which addresses the use of the user’s personal information collected by Alberta Health and AHS through the ABTraceTogether app. By accepting the terms and conditions set out in the privacy summary when registering for the app, users consent to the use and potential disclosure of personal and health information by Alberta Health and AHS to one another.

Privacy Commissioners’ Guidance Regarding Tracing Apps

Shortly after the launch of ABTraceTogether, on May 7, 2020, the federal, provincial and territorial privacy commissioners released a joint statement, outlining principles for the development and use of COVID-19 tracing applications. Although aimed at government institutions, the principles also provide useful guidance to the private sector:

  • The use of apps by governments must be voluntary, with a high level of transparency and accountability.
  • Measures must have a clear legal basis, separate consent must be provided for all specific public health purposes, and information should not be accessible or compellable by service providers or others.
  • Measures must be necessary, proportionate, science-based, tailored to a specific purpose, minimally intrusive, and likely to be effective.
  • Personal information must be used for its intended public health purpose, and for no other purpose.
  • De-identified or aggregate data should be used whenever possible and consideration should be given to the risk of re-identification, especially in the case of location data.
  • Any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.
  • Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed. 
  • Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeline.
  • Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that non-authorized parties do not access data and that data are not used for any purpose other than an intended public health purpose.

Federally-Sponsored Nationwide App

Since the launch of ABTraceTogether and the privacy commissioners’ guidance, there have been reports that other Canadian provinces, including New Brunswick, Manitoba, Saskatchewan, and Newfoundland and Labrador, are contemplating the use of contact tracing apps.  However, on June 18, 2020, Canadian Prime Minister Justin Trudeau announced that a voluntary nationwide contact tracing app would be introduced, potentially avoiding the need for province-specific tracing app options. With an anticipated launch date of July 2, 2020, Ontario will be the first province to beta test the nationwide app, with further adoption to come in the following weeks. While the federal government has not yet disclosed what data will be collected or shared through the use of the nationwide app, the Prime Minister has stated that no location services will be used.

Similar to the ABTraceTogether app, the nationwide app will incorporate Bluetooth technology to record instances where users may have come into close contact with one another, and will not disclose the identity of app users. The app was created as a partnership between the Canadian Digital Service and the Government of Ontario, with participation from two leading Canadian technology and security companies.

Implications for Businesses

While the availability of a Canada-wide government-sponsored contact tracing application may to some extent avoid the need for private sector applications directed broadly at the public, it is unlikely to alleviate the demand for private sector tracing apps targeting employees.

Businesses and other private sector organizations in Canada developing or planning to use contact tracing apps should take into account the functionality of the government-sponsored applications, and the regulatory guidance provided by the various Commissioners.   

If you have any questions about ABTraceTogether, contact tracing app developments in Canada, or any other privacy law, please do not hesitate to reach out to the authors, Arlan Gates, Brian Hengesbaugh, and Harry Valetk.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Arlan Gates practices commercial and regulatory law as a member of Baker McKenzie's Global International Commercial & Trade and Antitrust & Competition groups. He leads the Canadian Antitrust, Competition and Foreign Investment Practice.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Karina focuses her practice on information technology, privacy and data protection, electronic commerce, information governance, and consumer protection. She also advises clients in the areas of outsourcing and commercial transactions.

Write A Comment