South Korea has been turning to apps in a bid to minimise contagion. These apps collect data from government information to enable users to identify how close they are to an individual who has been confirmed as having COVID-19. The information available to users about confirmed COVID-19 patients includes when the individual tested positive, demographic data and some of their location history based on GPS tracking. 'Corona100m', which has seen a huge surge in downloads in South Korea recently, notifies users if they come within 100 metres of a place where a person confirmed as having the virus has been.
South Koreans are not alone in utilising apps to try and tackle the spread of the virus and it seems the UK is considering something similar. It has been reported that scientists advising the government have said that alerting people to the fact that they have recently been in contact with someone testing positive for COVID-19, could be critical to managing the virus and the associated constrictions on daily life we are now faced with.
A team from the University of Oxford have published a study which suggests that "a contact-tracing app which builds memory of proximity contacts and immediately notifies contacts of positive cases can achieve epidemic control if used by enough people". It is proposed that at an app developed for this purpose would record people's GPS location data, as well as requesting users to scan QR codes posted to public amenities. The idea is that if a person starts to experience symptoms, they request a home test using the app. If the test returns a positive result for COVID-19, an alert is sent to people they have recently been in close contact with. Those people would be advised to self-isolate for 14 days, but would not be told who had caused the warning to be given.
Of course, any app which can do this is likely to require the processing of personal data (though Singapore have built their app 'TraceTogether' using Bluetooth signals and anonymous IDs). The European Data Protection Board has produced a statement on data protection in the context of COVID-19 outbreak, referring to the use of mobile location data. It has advised public authorities to seek to process location data in an anonymous way, which could enable the generation of reports on the concentration of mobile devices at any one location. Personal data protection rules do not apply to data that has been adequately anonymised and the ICO's Deputy Commissioner has confirmed that, provided individuals are not identifiable, privacy laws will not be breached by using generalised location data trend analysis to track the spread of COVID-19.
The UK government has now published notification that data controllers in healthcare organisations, GPs, local authorities and arm's length bodies should share information to support efforts against coronavirus. Whilst this authorises specific sharing, organisations are reminded that they must still comply with the GDPR.
Data protection aside, the question of whether any such app requires everyone to use it in order for it to be effective is a significant one. If these apps are not mandatory, what is the extent of their assistance? Will we need to be able to demonstrate our risk level before being allowed to go to certain places and is this a fair price to pay to be able to regain some normality in our lives? Clearly this requires very careful consideration and oversight.
Ultimately, it seems that for these apps to be effective, the availability of testing (in order to confirm cases) and a good proportion of the population willing to install the app are required.