Batnag: Is there a gold standard for contact tracing apps?

Private Talk

IN THE name of contact tracing and of containing Covid-19, more and more business establishments and local government units are rolling out contact tracing apps. Since Covid-19 is a notifiable disease, people are obliged to register and share their personal data. But do these apps protect your personal data? How?

In November last year, the National Privacy Commission (NPC) called on the software developers of contact tracing apps to be "privacy advocates" and to implement "privacy by design"as more and more LGUs use technology to track down their constituents in the name of public health and safety (

Which is the better app? Is there a gold standard against which to compare the apps? There's no checklist for compliance, but the three principles of data privacy should provide enough guidance.

First, legitimate purpose. What's the reason for the data collection and processing? If it's contract tracing for Covid-19, check the documentation and the privacy notice against what's actually being done.

For example, if an ordinance was issued by the city council to justify the data collection and processing, read the ordinance and check out what reason was given for the project.

That purpose -- for example, contact tracing for Covid-19 -- should be the same purpose in the privacy notice, privacy statement or privacy policy that should be found somewhere in the app, ideally appearing before registration.

Second, transparency.

This is how the Data Privacy Act defines transparency: "The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language."

Does the privacy notice contain the information that the NPC said it should?

"The privacy notice contains the identity of the personal information controller, service description (list of all services that the app provides), personal data that are processed, collection methods, timing of collection, purposes for processing, storage and transmission of personal information, methods of use, location of personal information, third party transfer, retention period, participation of data subjects, and inquiries," the NPC said in its statement released last November.

If there are other reasons for data collection, the NPC said the data subject must be asked for consent, for each and every purpose. "When different purposes exist in the app, there must be a separate consent and purpose must be explained beforehand to users (e.g. the use of anonymized data for pandemic and epidemiology research and development purposes)."

"Make the contact tracing app's system access explicit, especially when it tries to access sensitive capabilities of the user's mobile device (e.g. storage or microphone). When making a permission request, the app must disclose what it is accessing," the NPC said.

There must be also be a way for data subjects to ask the one in control of the data processing - either the LGU or the establishment using the contact tracing app - for the exercise of their data subject rights. In other words, data subjects must be allowed to find out what data was collected on them, and to have a copy of these data, among other things.

Third, proportionality.

Is the data collection and processing limited to the stated legitimate purpose? Will the data be deleted when this purpose is fulfilled, or the processing no longer necessary?

If, for example, the purpose is to conduct contact tracing for Covid-19, the data collected must be limited to information that will allow contact tracers to find the data subject. How necessary is civil status, for example, to find someone? Or one's profession, or citizenship? Do you really need to give this, considering that you're already giving out your name, mobile phone number and home address?

Last -- but not the least -- check if the LGU or establishment collecting your data actually checked if there were risks involved in the data processing, by conducting a Privacy Impact Assessment (PIA) before the project was launched.

"Before implementing the app, business, system and process owners, or developers should conduct a privacy impact assessment (PIA) to identify data privacy and security risks," the NPC advised. "In conducting a PIA, refer to NPC Advisory 2017-03 and the Philippine National Standard on Guidelines for Privacy Impact Assessment: PNS ISO/IEC 29134:2018."

We leave virtual traces wherever we go, and as the pandemic forces us to conduct more and more of our activities online, we share more and more of our personal data, of our virtual selves. Among the lessons we should learn from this pandemic should be on how to protect personal data -- ours and everyone else's.

(Dana Batnag heads the policy and risk management section in the data privacy office of a financial services institution. For inquiries, comments and clarifications, she may be contacted at


SunStar website welcomes friendly debate, but comments posted on this site do not necessarily reflect the views of the SunStar management and its affiliates. SunStar reserves the right to delete, reproduce or modify comments posted here without notice. Posts that are inappropriate will automatically be deleted.

Forum rules:

Do not use obscenity. Some words have been banned. Stick to the topic. Do not veer away from the discussion. Be coherent. Do not shout or use CAPITAL LETTERS!