21st April 2020

OECD: Tracking and tracing COVID: Protecting privacy and data while using apps and biometrics

Key recommendationsDigital technologies providepowerful tools forgovernments in their fight to control the COVID-19 pandemic,but their privacy and data protection implications must be recognised. Contact-tracing apps should be implemented with full transparency, in consultation with major stakeholders, robust privacy-by-design protections, and through open source projects (where appropriate). Governments should consider:The legal basis of the use of these technologies, which varies according to the type of data collected(e.g. personal,sensitive,pseudonymised,anonymised,aggregated,structuredorunstructured).Whether the use of these technologies and the subsequent data gathering is proportionate, and consider how the data is stored, processed, shared and with whom (including what security andprivacy-by-design protocols are implemented).The quality of the data collected and whether it is fit for purpose.Whether the public is well-informed and the approaches adopted are implemented with full transparencyand accountability.The time period within which more invasive technologies that collect personal data may be used to combat the crisis.Data should be retained only for so long as is necessary to serve the specific purpose for which it was collected.Key recommendations

Digital technologies providepowerful tools forgovernments in their fight to control the COVID-19 pandemic,but  their  privacy  and  data  protection  implications  must  be  recognised. Contact-tracing  apps  should  be implemented with full transparency, in consultation with major stakeholders, robust privacy-by-design protections, and through open source projects (where appropriate). Governments should consider:

The legal basis of the use of these technologies, which varies according to the type of data collected(e.g. personal,sensitive,pseudonymised,anonymised,aggregated,structuredorunstructured).

Whether the use of these technologies and the subsequent data gathering is proportionate, and consider how the data is stored, processed, shared and with whom (including what security andprivacy-by-design protocols are implemented).

The quality of the data collected and whether it is fit for purpose.

Whether the public is well-informed and the approaches adopted are implemented with full transparencyand accountability.

The time period within which more invasive technologies that collect personal data may be used to combat the crisis.Data should be retained only for so long as is necessary to serve the specific purpose for which it was collected.

Members of the American Chamber of Commerce in the Czech Republic