The Philippine government, through the Department of the Interior and Local Government (DILG), is taking complete control of the StaySafe contact tracing app developed by a local tech firm. This is after the government and the tech firm signed a Memorandum of Agreement (MOA) that will give the DILG complete responsibility and controllership over StaySafe.PH and all sensitive personal data that are collected with the use of the application.
The agency believes that instead of using other apps, local government units (LGUs) must use one app for a unified system that will allow seamless, fast, and efficient contact tracing efforts. The government recognises that they need to further intensify their contact tracing initiatives especially now that the country has a surge of COVID-19 cases. With the help of the app and the dedicated efforts of contact tracing teams nationwide, the agency believes that this can help in successfully tracking down the cases and their contacts and prevent the spread of the virus.
The National Privacy Commission (NPC) welcomed the signing of the agreement even as it stressed that privacy should be considered in government interventions that make use of personal data. When the government collects the personal data of citizenry, they owe these citizens a solemn covenant to protect their data and ensure that we will not use their data for other purposes, said NPC.
The NPC said gaining the trust of the citizens is crucial in the success of the government’s contact tracing efforts. They said that Filipinos need to be assured that data is handled securely; the data demanded of them is proportional to the purpose; they can understand how their data will be used; there is a specific purpose for the processing, and their data will be retained for no longer than is necessary.
Furthermore, the NPC also recognises the immense benefits of data-driven technologies. They said that they treat personal information controllers all the same, and they help those that try to comply with the Data Privacy Act and its principles.
These apps must allow users to opt-in and out of digital contact tracing. Use of the app must be voluntary, with data subjects allowed to withdraw consent at any time. Opting out must not lead to negative consequences for the user. When different purposes exist in the app, there must be a separate consent and the purpose must be explained beforehand to users (e.g., the use of anonymised data for pandemic and epidemiology research and development purposes).
Developers must also ensure that users can exercise their data privacy rights by providing user controls in the initial onboarding and during the use of the app. A user control can be in the form of a dedicated privacy control panel or dashboard. They must also make the contact tracing app’s system access explicit, especially when it tries to access sensitive capabilities of the user’s mobile device (e.g., storage or microphone). When making a permission request, the app must disclose what it is accessing.
They must also define and set where personal data are stored. Put in place strict policies and safeguards to restrict the location points of the digital personal data processed by the contact tracing app. To prevent the data from being retrieved or the data subjects re-identified, delete, and dispose of the personal data securely when the primary purpose for processing has already expired and there is no other legal basis (like law enforcement) to keep the case details for a period longer than the existence of the pandemic.
Lastly, before implementing the app, business, system and process owners, or developers should conduct a privacy impact assessment (PIA) to identify data privacy and security risks.