| layout | default |
|---|---|
| title | Legal and Regulatory |
| nav_order | 3 |
{: .no_toc .text-delta }
- TOC {:toc}
The COVID19-pandemic has taken the world by chock, and apart from the obvious health risks with getting infecting, measurements taken to control the spread have secondary impacts on both personal mental health and our economy. At the same time, political decision making needs to speed up, and democratic principles are abandoned one after another in order to secure short lead times in decision making.
The development of information technology has also created unprecedented amounts of available personal data, that can be used for profiling, tracking and understanding intentions and whereabouts of individuals.
This data is however, with very few exceptions, the intellectual property of commercial companies today.
In the exceptional situation the COVID-19 pandemic has created, it is therefore of utter importance that any initiatives of using existing data is in line with the foundations upon which our democratic societies are based:
- Universal Declaration of Human Rights:
Article 12, which states inter alia, that no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks upon his honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks
- EU Charter of Fundamental Rights:
Article 8 - Protection of personal data
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority. These fundamental rights must not be violated. As guiding principles for our society, they must survive even the most exceptional event, where the COVID-19 pandemic is their first, modern test. If not respected, community counter-reactions may arise, threatening the stability of our societies.
For European citizens, these fundamental rights have been protected in the General Data Protection Regulation, which entered into effect 25th of May 2018. The GDPR stipulated seven general principles that must be respected in the processing of personal data. The principles set out by article 5 of this European legislation has become a guide for passed bills, or suggestions, in many other countries all around the world.
The general principles in GDPR could therefore be regarded as a pinnacle of democratic protection of the fundamental human rights.
Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.
Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.
Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.
Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.
Data4Life is providing a possibility for individuals to get notified when they historically potentially have been exposed to the COVID-19 virus. The notifications can contain a suggestion for taking certain actions, such as self-quarantine.
The application can also display a geographical presentation of locations that should be avoided right now in order to minimize exposure to the COVID-19 virus.
Data4Life is collecting data through the legal basis consent as stated in GDPR article 6a. The consent is collected when the user chooses to share personal data.
Data4Life also collects information about wellness status, to be able to trace contacts and give relevant behavioral suggestions to the user. Such wellness data is considered health data, and processing it is prohibited according to GPDR article 9.1.
A special consent is therefore collected according to GDPR article 9.2a.
The raison d'etre for Data4Life is to provide a human-centric, high performing, contact tracing solution that does not violate the fundamental rights stated in the Universal Declaration of Human Rights, EU Charter of Fundamental Rights and the General Data Protection Regulation.
Instead, it builds on modern democratic values such as transparency, altruism and cooperation.
Data4Life is using the very particular rights GDPR introduces towards the ownership of intellectual property rights. The right to access is absolute, it cannot be disputed, and response should be made within 30 days. Nothing stops the data controller to comply with a request faster.
A data subject has a legal right to access any of his personal data, no matter who is the legal owner of such data. The data subject is also given a non-exclusive right to freely use the data for any reasons. In such usage, the data subject does not have to consider regulations about trade secrets.
In its construction, the data subject rights in GDPR introduces a kind of dual purpose, dual ownership. Data4Life empowers users by letting them fully exploit this dual ownership to make a difference in the battle eg. against COVID-19.
In addition to the explicit consent according to GDPR article 6a and 9.2a, Data4Life also collects a power of attorney from the user as they sign up and/or ask for a DSR per service.
This digital power of attorney transfers, non-exclusively, any data subject rights according to GDPR article 15 to Data4Life. With this, Data4Life can request, and gather, personal data such as location data from any data owner, including but not limited to Google, Samsung, Apple, Huawei, Facebook and Telcos. Access to data from several sources enables both historical tracking and higher tracking resolution.
Data4Life collects explicit consent for processing personal data according to GDPR article 6 and 9. The purpose of the processing is clear, and the user can opt-out, repurpose or revoke the consent at any time.
By collecting an explicit consent, the purpose of the processing is declared in plain text when the consent is collected. Personal data will not be processed for any other reasons, not transferred to any 3rd party, including authorities, without the explicit renewed consent of the data subject.,
Data4Life only processes data needed for the described purposes. This means that any data older than relevant for the current COVID-19 pandemic will neither be gathered, stored nor processed. This also means any personal data will be deleted when they no longer serve an agreed purpose.
Data4Life uses consent as the legal basis for processing personal data. For this reason, total traceability exists between personal data and the consent. Consent can be revoked, and personal data is then deleted.
In accordance with the data minimization principles, data in Data4Life are only stored as long as they serve the described purpose of the solution.
Data4Life uses a federated storage and processing architecture. This means that personal data, as long as possible, is kept in the storage of choice, and is not mitigated into any central storage.
Data4Life is created to uphold the fundamental human rights with regards to personal data.