The story behind TraceTogether is a story of partnerships: partnerships between public sector agencies, the data protection regulators and the community of data protection officers. It is also about how we can involve citizens in our battle against COVID-19. This is a story about how you can have good accountability practices that observe data protection principles whilst at the same time building an app, such as Trace Together, to assist in contact tracing. This is something that we have taken seriously.
Hong Kong and Singapore share the same experiences. This is not the first time that we have had to deal with the outbreak of a virus. We went through SARS and we bear the scars from SARS. I remember also looking at MERS coming in our direction but, thankfully, that did not hit us that hard. Now we have COVID-19.
We take contact tracing seriously. Contact tracing is an important outbreak containment measure. I want to make it really clear that it is about tracing contact. You need to find out who was in that room in close proximity to you and for how long. You need to invite the person to come in for a test so that the right level of medical attention can be given.
Contact tracing is difficult because it relies on memory. Based on our discussions you need to try and recall for a period of two weeks who were the people you came in contact with. That can be challenging. Conventional contact tracing can be challenging when memory fails or if you remember but you don’t know who that person is or if you are unable to contact that person.
The TraceTogether app is implemented to complement and assist contact tracing efforts. When the Government Technology Agency (GovTech) started to build this app for the Ministry of Health, GovTech contacted us in early February to see how we can assist in the development. We were very glad to be part of this, to contribute and help.
I would like to talk about how, as a data protection regulator, we were able to assist in this process. Since we were engaged early on, we took this opportunity to put into practice data protection by design. I will talk after this about the security and the design elements.
I would like to cover two points: getting ready and also being part of the discussion before the architecture was built, which allowed us to contribute. Data protection was built into the architecture of the app. One clear example of this is data minimisation. This is illustrated by the fact that the only piece of personal data that is necessary to collect is actually the mobile number at the time of registration. We minimised the amount of personal data that was required to register and use this app. We also wanted to ensure that there was greater control by the citizen who was using the app. We designed those features into the app as well.
When the app was ready for testing, we assisted and provided guidance to see how we can conduct the data protection impact assessment. Another example of what we did was the implementation of dynamic consent into the user interface design. We realised that this was going to be a voluntary app, so we needed to build consumer trust. Citizens had to be prepared to use it. Convincing citizens to download the app and to use it required transparency and managing the communication and information flow. We needed to decide how to provide that information to the website, through a technical blog or through FAQs. We also had to figure out how to parcel out consent to maximise the touchpoints through the app to the citizen, such that when you are signing up we only obtain consent as relevant at that point in time. Later on at the second point in time when you have been requested to upload the transaction we only obtain additional consent that is relevant and contextual at that point in time.
I want to talk about the partnership with the Data Protection Officer (DPO). We are fortunate that in Singapore we have AsiaDPO which is an association of data protection officers. When we were finalising the design and even before the launch we were able to reach out to them and get a few members of the DPO community to take a look at what we had done and give us an external review and some feedback. We did pick up a few points that were very helpful. Some of the points were embedded into the design.
One of the things that we are working on together with the World Bank and Harvard Business School and our colleagues at GovTech is to put some of the lessons learned into a case study. As you may have heard, the app is open source and here are some details on how to access the app. In the previous panel there was a discussion about how it is necessary to have transparency. After this app was launched, we were quite happy to see that there was a lot of interest from the technical community. They looked at the source code, published a report that actually verified that this was a proximity-based application and there was no capturing of location information.
I would like to wrap up my presentation and say through this experience what we wanted to do is really not just to talk about the data protection principles and to preach about accountability practices, but to really see how we can work together with government agencies and to see how we could encourage the adoption of these practices in this application. We are grateful for the opportunity to have been able to do that. You can see the fruits of our labour. The app has been downloaded over a million times in Singapore.
At this point in time, we have entered yet another phase in our battle with COVID-19. The toughest part still isn’t over, but together with the right attitude I think it is possible to take a data protection by design approach to build applications, to work together in our joint effort to overcome this outbreak. Thank you.