APDCAT participates in an international initiative to evaluate data protection in COVID-19 applications and solutions

The Global Privacy Enforcement Network (GPEN), which integrates about 70 data protection authorities from around the world, has published the results of the GPEN Sweep 2020-21, an international study that this year has focused on analyzing the privacy of applications and solutions that have emerged to combat COVID-19.

The study, in which the Catalan Data Protection Authority (APDCAT) has participated, together with some twenty control authorities from Europe, America, Oceania, Asia and the Middle East, has shown a significant involvement of data protection authorities in anti-COVID-19 solutions. Thus, all the authorities consulted have been actively involved in assessing the privacy implications of COVID-19 solutions and initiatives.

The report concludes that organizations have shown significant awareness of the privacy risks associated with these solutions and have established clear rules on the processing of personal information involved. COVID-19 mobile contact tracking applications have been the focus of control authorities, although other initiatives such as electronic wristbands, COVID-19 vaccine registries and national border registries have also been a concern.

In the case of Catalonia, the report highlights that the APDCAT was consulted on the legal provisions relating to the exchange of personal information between the Department of Health and other departments, such as the Department of Social Affairs and Families, the Department of Education, local authorities and hospitals.

Objectives of the Sweep 2020-21

The aim of GPEN Sweep 2020-21 is to analyze at a practical level whether the organizations responsible for various COVID-19 solutions and initiatives have taken into account and how they have taken into account privacy considerations, as well as the level of commitment of the control authorities, either through evaluations of contact tracking applications or any other public or private sector initiative.

Thus, the Sweep has explored how the international community of supervisors has related to local governments, to identify and understand the risks associated with COVID-19 initiatives and to make recommendations to improve compliance with privacy laws and Data Protection. Also corrective measures, actions and outreach activities.

Privacy assessments

The study reveals that almost all areas consulted have a mobile contact tracking application COVID-19, which uses Bluetooth technology to alert users if they have been near another user of the application that has given positive to the coronavirus and whether they have visited a place at the same time as another person who was reported.

Most health authorities have carried out privacy impact assessments and have contacted the competent supervisory authority at an early stage to mitigate the identified privacy risks. For example, key concerns have been identified about identifying people from personal information collected through contact tracking applications and the retention of personal information collected. Control authorities 'recommendations include that personal information be stored locally on users' devices rather than on centralized servers, and that personal information collected to combat COVID-19 be securely destroyed as soon as possible, once it is no longer needed.

In addition, the study highlights that several supervisory authorities have carried out enforcement actions in response to complaints received, and all regulators have developed educational materials related to privacy issues arising from health measures from the COVID-19.

21 years of GPEN

GPEN is a network created in 2010 on the recommendation of the Organization for Economic Co-operation and Development. Its aim is to foster cross-border cooperation between privacy regulators in an increasingly global market in which trade and consumer activity are based on the continued flow of personal information across borders. Its members seek to work together to strengthen the protection of personal privacy in this global context. The network is made up of more than 70 privacy control authorities from 40 jurisdictions around the world. GPEN Sweep is currently chaired by the Office of the New Zealand Privacy Commissioner.