Written by Michael Custer
We previously discussed privacy considerations on the blog related to the provincial government’s COVID-19 contact tracing app in Alberta, ABTraceTogether. Most Albertans are not using the ABTraceTogether app: since its release, the Alberta app has had numerous functional issues, leading many Albertans to question its utility.
Both the Alberta and British Columbia governments opted out of a similar Canada-wide app offered by the federal government commencing July 31, 2020 called “COVID Alert”. The Alberta government also refuses to endorse the federal app, with one of its concerns being that COVID Alert is simply an exposure notification tool as opposed to a contact tracing tool.
How the COVID Alert app works
COVID Alert works by allowing users of the app to anonymously disclose a positive COVID-19 test within the app, and then alerts other users of the app who came into close contact with that person in the past 14 days. COVID Alert monitors users’ proximities to each other by way of Bluetooth signals sent from each users’ phones. ABTraceTogether also uses Bluetooth technology and stores users’ confidential logs on their phones, but stores those logs for 21 days.
In contrast to the federal COVID Alert app which relies on automatic notifications to users following the disclosure of a positive COVID-19 test, ABTraceTogether is connected to the “human side” of Alberta's contact tracing system because notifications received by the provincial app are manually input into Alberta’s contact tracing system (and subsequent exposure notifications) by employees.
COVID Alert Privacy Protections
The federal government’s collection of personal information is governed by the Privacy Act 1. Generally speaking, the Privacy Act prohibits the federal government’s collection of personal information about an identifiable individual without first obtaining that person’s consent, after having informed the individual of the purpose of the collection.
The use of both COVID Alert and ABTraceTogether is voluntary, with user consent being required in order for the app to become active on a user’s phone, and for other users to be informed of a positive diagnosis. COVID Alert also store users’ confidential information on their phones in an encrypted manner via randomly generated codes, making it highly unlikely for app users or their personal information to be identified by using COVID Alert.
As with ABTraceTogether, COVID Alert has several privacy and data protections built into its use. It works by collecting and storing random codes on app users’ phones for 14 days, including codes of other app users’ phones within a certain distance (to collect exposure data based on proximity). These random codes are used and stored in app users’ phones only, and not with any governmental authorities, although ABTraceTogether users can voluntarily share their information with Alberta Health Services.
Neither of the apps collects or stores information about a user’s identity or location, although the ABTraceTogether app allows users the option of providing Alberta Health Services with access to their ABTraceTogether data to facilitate manual contact tracing. Neither of the apps collects or stores information about a user’s name or address, phone contacts, or health information.
One notable distinction between the apps is that ABTraceTogether users must register their phone number in order to download the app, whereas the COVID Alert app uses an anonymous key to share data. Although ABTraceTogether users can delete the app at any time, they also have to contact the Alberta Health Information Act Helpdesk directly to have their phone number deleted from the app’s database.
Information Sharing and Notification of COVID-19 Exposure with the Apps
For both apps, a user’s consent is required to disclose information regarding a positive COVID-19 diagnosis. Methods of notification on the apps differ slightly: the COVID Alert app notifies users immediately once a user consents to share his or her information, but ABTraceTogether notifications can take several days based on the manual entry of a user’s information into Alberta’s contact tracing system. In addition, because ABTraceTogether users have to provide their mobile phone numbers to download the app, they can be contacted directly by Alberta Health Services in the event of a positive COVID-19 diagnosis.
Following a positive COVID-19 diagnosis, COVID Alert users can elect to anonymously and voluntarily share their encrypted COVID-19 data (random codes stored on their phones) with a central server operated by the Government of Canada. Note that although app users in Alberta and BC are not able to report a positive diagnosis through the COVID Alert app, COVID Alert users in Alberta and BC can still be notified through the app if they come into contact with someone from a reporting province or territory, or when other app users in their area are able to report a diagnosis.
All random codes collected by COVID Alert, on users’ phones and those uploaded to the central database, are deleted after 15 days. COVID Alert users who delete the app from their phone can also choose to manually delete the Exposure Logs collected by the app from their phone’s settings, or wait 15 days for the random codes to be automatically deleted.
For more information regarding privacy considerations of the COVID Alert app, please see the Government of Canada website here.
Health Canada’s privacy assessment of the COVID Alert app can be found here.
Carscallen LLP’s Privacy Law Expertise
Carscallen LLP’s Privacy Law Group advises private businesses, public sector entities and healthcare clients on compliance with their obligations under applicable national and provincial privacy laws, including Canada’s Anti-Spam Legislation (CASL), the Personal Information Protection Act of Alberta (PIPA), the Freedom of Information Protection Act of Alberta (FOIP), the Healthcare Information Act of Alberta (HIA), and the CRTC’s Unsolicited Telecommunications Rules. We offer a full range of legal services in the area of Privacy Law. If you have any questions about your business or organization’s compliance with its privacy law obligations, or you need advice on a potential or actual privacy breach, please contact a member from our Privacy Law group for more information.
1 Privacy Act, RSC 1985, c P-21.
*This update is intended for general information only on the subject matter and is not to be taken as legal advice.