The ten Fair Information Practice Principles (or FIPPs) set out in the Personal Information
Protection and Electronic Documents Act (PIPEDA) underpin the TraceSCAN privacy
Facedrive Health is responsible for personal information in its possession or under its control, as well as for establishing the overall compliance framework for TraceSCAN. Facedrive Health has designated Junaid Razvi, firstname.lastname@example.org, as the Privacy Officer for TraceSCAN. He will coordinate with the development, legal and compliance team to ensure overall privacy compliance.
This will include using contractual or other means to ensure a comparable level of protection while information is being processed by third parties on Facedrive Health’s behalf.
As the TraceSCAN project evolves, local health authorities may establish independent data stores and related infrastructure, which they will control. The TraceSCAN Privacy Officer will coordinate with these authorities to establish standards and protocols for privacy and data protection. However, each local health authority will be accountable for their individual contact tracing programs, including any personal information they choose to collect, use or disclose as part of those programs.
4.2 Identifying Purposes
The fundamental purpose of TraceSCAN is to facilitate contact tracing, to help reduce and
ultimately stop the spread of COVID-19. This purpose will be clearly communicated to users and potential users, via the website, app store descriptions, and within the on-boarding process.
Any future secondary purposes, such as future research, will be an opt-in option that users can choose to participate in, or not. Information about such secondary purposes will be
communicated to users at or before the time they are given the option to opt in.
Consent and user control are central to the TraceSCAN model. Users retain full control over their participation and can withdraw consent at any time.
Acquisition of Consent
A user will need to provide express consent (1) to allow their phone number to be stored securely in TraceSCAN’s registry, and (2) to allow other TraceSCAN users to send health officials information pertaining to encounters with a user if they are diagnosed with COVID-19.
In regard to (1): The user’s device will interact through the Bluetooth™-enabled technology and generate an encounter log history. If a user decides to inform health officials if they become diagnosed with COVID-19, then TraceSCAN will also obtain a listing of this contact history and be able to identify phone numbers. This information will be securely stored in the back-end service and not be misused for commercial or non-commercial gain. This information will be kept confidential, and only kept for the sole purpose of advancing research in COVID-19 efforts.
In regard to (2): As multiple users of TraceSCAN interact, their devices will pair and generate the encounter log history. In order to appear in one’s encounter log history, a user must give consent that other users, if they become diagnosed with COVID-19, can alert health officials they have encountered with a user. This will ensure that an encounter log history will only track devices who give permission for contact tracing.
Users will be able to access the privacy standards that outline the key objectives and measures in place to ensure that the app upholds the privacy of its users and does not misuse any information for commercial or non-commercial gain.
This app will uphold privacy as follows:
● A user has the decision if they want to share their encounter information with health officials, and before this, no information of the user or the encounter log history will be available to anyone.
● When a user’s device pairs with another device with the TraceSCAN app, the encounter log history will not be accessible to the user.
● The encounter log history will only be accessible to authorized health officials with a unique code if the user gives consent to sharing the device’s encounter history.
● The encounter log history will be safely secured in the back-end service of the
TraceSCAN app only when a user consents to giving the contact history to authorized health officials.
● A user that does not want to be tracked in a device’s encounter log history will not have their device paired with other devices.
Withdrawal of Consent
We believe users should be in control of their personal data and have the ability to delete this from the system. If a user withdraws consent to use their personal data, provided they have not voluntarily provided contact history data to health authorities for contact tracing, their UserID and phone number will be deleted from the back-end database. Since the phone number is the only source of identity, deleting it will make it impossible to re-identify the temporary IDs generated for that user that were previously sent to other devices.
All local contact data stored on the participating user’s device is automatically deleted when the user withdraws consent in this manner and, unless they have voluntarily shared it with a health authority, it is not stored anywhere else. No new contact data would be collected or disclosed after that withdrawal of consent (unless the user re-installs the app and provides a new consent). However, if a participating user has previously shared any contact history data with health authorities for contact tracing, health authorities may retain that information subject to applicable law and their own retention policies.
4.4 Limiting Collection
TraceSCAN has been carefully designed to avoid unnecessary collection or storage of personal information. Phone number, operating system and the exact model of the phone will be the only information that will be required from the user. The phone number, which is securely stored, is required to deliver notifications in the event that the person is determined to have potentially been exposed by proximity to another participating user who tests positive for the virus. Users may (but are not required to) opt-in to provide the additional information such as age, symptoms and first three characters of postal code.
When two participating devices encounter each other, they exchange non-personally identifiable messages that contain temporary identifiers. The identifiers rotate frequently to prevent third parties from tracking users. The user’s encounter history is stored locally on their user’s device; none of this data can be directly accessed by the health authority or any third party.
4.5 Limiting Use, Disclosure, and Retention
The TraceSCAN design allows health authorities to send push notifications to participating users who have potentially been exposed to the virus, without needing to know the identities of the people who will receive them. When a participating user uploads their contact log history, the health authority is presented with the pseudonymous temporary identifiers, along with minimum and maximum signal strength observations and the dates and times of the contact. No other information is disclosed to the health authority. Notifications are delivered without any participating user knowing the identity of any other.
Limited retention periods are designed in and automatically enforced by the TraceSCAN app. A device’s temporary identifier rotates frequently on a rolling 21-day retention period, preventing malicious actors from tracking individual users over time. Local contact log histories on participating devices are automatically deleted after this rolling 21-day period expires.
If a participating user has shared contact log history data with health authorities to enable contact tracing, shared data will be retained by health authorities, subject to their respective retention policies and applicable law.
TraceSCAN has been designed as a means to support and enhance contact tracing on an optin basis. No automated decisions are made based on the data collected by the app. Local health authorities will have final responsibility to determine what advisory notifications, if any, to send to participating users.
Receiving an unnecessary notification that one may have been exposed to the virus may cause some stress. However, there would be relatively few other direct consequences of a false positive. Nonetheless, TraceSCAN will include measures intended to promote data integrity and accuracy.
● All notices will be delivered to phone numbers that have been validated during onboarding.
● Users can disable contact data collection on a temporary basis, if phones need to be shared or stored, avoiding collection of incorrect contact information.
● User data is securely stored on participating devices for 21 days, protected from tampering or modification.
● Rolling data retention periods ensure that any incorrect or misleading data will be selfcorrecting over time.
● Future deployment of wearables will further increase data accuracy, since a worn device is less likely to be separated from the user.
TraceSCAN is designed to safeguard user privacy and give users control of their data. The protocol includes the following privacy safeguards:
• Limited collection of personal information. The only personal information collected is a phone number, which is securely stored by the health authority.
• Robust encryption. Data is encrypted both at rest and in transit. Private keys used to unlock contract log history data are only released to authenticated health authorities, via an affirmative user action.
• Local storage of encounter history. Each user’s encounter history is stored exclusively on their own device. The health authority only has access to this history when an infected person chooses to share it.
• Positive authentication of authorized disclosures. Individual unique verification codes are provided to users, to confirm authorized requests for access to their stored contact log history. Users must then enter a unique PIN to authorize the disclosure. There are no administrative overrides and no way for health authorities (or others) to
access user data without affirmative user consent.
• Rotating temporary pseudonymous identifiers. Third parties cannot use TraceSCAN to track users over time. A device’s temporary identifier rotates frequently, preventing malicious actors from tracking individual users over time.
• Revocable consent. Users have control of their personal data. When they withdraw consent, local data stored on their devices is deleted and (provided they have not previously voluntarily provided encounter history data to health authorities for contact tracing) their identifying information will be removed from the back end storage, making it impossible to re-identify previously-generated temporary identifiers.
• Secure back-end infrastructure. The TraceSCAN architecture requires relatively little back-end infrastructure. However, it will support industry-standard secure cloud platforms, such as Amazon Web Services. Facedrive Health will work with local health authorities to assist them in securely integrating their back-end platforms with the TraceSCAN app.
Consistent the with Office of Privacy Commissioner of Canada’s guidance on obtaining meaningful online consent, information about how information is being collected and used will be provided directly within the user experience of the app, both as part of the on-boarding process and on a just-in-time basis when a health authority requests access to encounter
Google has required developers to ask for location permissions if the app uses Bluetooth services. The reason is, by requiring location services to access Bluetooth, you ensure that the user understands their location information can be found using Bluetooth. In versions of Android prior to Marshmallow, the user could use Bluetooth without location services enabled, but certain developers could exploit this to extrapolate the user’s location.
TraceSCAN seeks to be transparent about this and does not store any location data now or in the future. GPS can be turned off and it will not affect the functionality of the app but accepting the permissions is mandatory. This is explicitly stated when the user is asked to enable app permissions when they first download the app.
Sample screenshots showing the current form of the user experience appear below. Some details may be subject to change as further development proceeds.
4.9 Individual Access
All personal information collected by the app, including the stored encounter history, is directly accessible to the user within the app, at all times. User-supplied information can be updated and corrected by the user. Local encounter history data can be deleted by the user, but cannot be edited to protect data integrity.
4.10 Challenging Compliance