The Maltese health authorities are refusing to share information on the data protection risks associated with the use of their ‘COVID Alert’ app with the authors of a study on contact tracing apps and their compliance with privacy regulations.
The study, being undertaken by researchers from University College Dublin, will examine the use of Data Protection Impact Assessments (DPIA) in relation to mobile contact tracing apps in 28 EEA countries. The research team has been in contact with public health authorities, asking them to make public the DPIA they carried out in the course of developing their app.
A DPIA is a type of risk assessment that aims to identify and minimise data protection risks associated with a new project that involves the processing of personal data.
The aim of carrying out a DPIA is to determine the impact of the envisaged processing operations on the protection of personal data and ensure that a balance is struck between the processing activity and safeguarding the rights of individuals.
When the COVID-19 pandemic hit Europe in early 2020, health authorities across the continent, including Malta, developed and launched different COVID-19 apps to allow for quick and efficient contact tracing of new cases.
The DPIAs for roughly half the countries under study were already publicly available at the time the research was started, having been published immediately upon the release of their respective apps, according to Michael Spratt, one of the study’s researchers.
Public health authorities in most of the other countries provided Spratt and his research team with the documents upon being requested to do so.
It appears that Latvia and Malta were the only two countries which refused to share a copy of their DPIAs with the research team. In correspondence seen by Lovin Malta between the health authorities and Spratt, a Covid Alert Malta team member says that the DPIA is “not in the public domain”.
“Malta, and specifically the Office of the Superintendent for Public Health, is the only authority which has refused without any explanation to release this document,” Spratt said, pointing out that every other country in the study had been able to provide the information in some shape or form.
“A few authorities…decided to redact small parts of the document for security reasons before sending on their assessments.”
The Latvian authorities offered to submit a formal freedom of information (FOI) request on behalf of the researchers in order to get hold of the assessment.
Under the General Data Protection Regulation (GDPR), a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons” and is particularly important when a new data processing technology is introduced. Needless to say the DPIA should take place prior to commencement of the processing.
“A DPIA is an accountability mechanism, where the people who want to process personal data must show how it is not a risky activity for the people whose data is being processed. The GDPR which we Europeans are all governed by encourages authorities to release these assessments in full or summary versions. Transparency is a key step so that people can trust the automated systems which we have to use. Why is Malta out of step with the rest of Europe?”
Lovin Malta reached out to Malta’s Data Protection Commissioner who confirmed that the health authorities had engaged with his office during the development stage of the app.
“A thorough DPIA was also provided for the Commissioner’s consideration. This approach was taken in spite of the fact that the requirements of article 36 of the GDPR were not triggered, as all the risks to the rights and freedoms of data subjects were mitigated by the controller with the implementation of appropriate safeguards,” Commissioner Ian Deguara told Lovin Malta.
“In line with the approach taken by our EU counterparts we still issued an opinion on the proposed processing activity which involved the processing of data by means of the app.”
Lovin Malta has filed a FOI request on behalf of Spratt and his team to request a copy of the DPIA.
Share this with someone who needs to read it