PPC’s view on Contact tracing application to combat new coronavirus infection

Contact tracing application to combat new coronavirus infection

The Personal Information Protection Commission’s approach to the use of personal information

May 1, 2001
Committee for the Protection of Personal Information

As a countermeasure against  the contagion of a new type of coronavirus infection ,, The introduction of contact tracing applications using ICT technology and data is progressing worldwide.  There is an international debate on the protection and utilization of personal information.

The functions and system structure of contact tracing applications vary by country and region. In general, however, it is in general to use Bluetooth and other technologies on mobile devices to make and store the contact history between app users beyond substantial level  and this is used as a cue  if a pre-user becomes infected, the user’s proximate contact will be alerted immediately.  In response to new coronavirus infections, from the view to prevent spread of  infections by warning proximate contact to promote appropriate  conduct promptly and appropriately, the effectiveness of these apps was pointed out . On the other hand, there is an argument that it is important to consider the protection of personal information and privacy.

In Japan, the Cabinet Secretariat’s New Coronavirus Countermeasure Tech Team is currently working on a  joint effort between the public and private sectors, it is trying to introduce the contact tracing application in order to promptly inform the person in proximate contact of the fact of proximate contact, and to ensure that the person in proximate contact is kept in touch with public health authority. Therefore, we, the Committee hereby provides the guidance to use such  application fully keeping in mind the balance between the public policy requirement such as combat against infection and the request to secure the rights and interests of individuals with regard to personal information.

The Committee have high expectations for the applications will be one of the most effective methods to prevent the spread of new coronavirus infections ensuring that these apps sufficiently comply with requests for the protection of personal information.

(1) The system must be appropriately designed and operated because it handles information that is may handle with information which, if mishandled, could greatly infringe on the rights and interests of the user concerned such as   PCR test results of the user or the user’s behavioral history (with others)(i.e., the contact history of the user).

For the purpose of properly protecting the rights and interests of users and the use of data by these apps, these apps should be used based on voluntary installed based on  the discretion (consent) of the individual concerned, after giving the sufficient and specific information to the individual.

In addition, these apps are of character which is expected to be effective enough to gain a large number of users. Therefore, it is necessary for the businesses involved in the application  to earn the trust of users by ensuring operational transparency and implementing appropriate safety management measures through the  collaboration with State and local governments.

(2) In light of the examples of applications that have been introduced or are being considered in other countries or regions ahead of time, and applications that are being developed ahead of time in Japan, it is likely that most of the information obtained by the business operators involved in the application does not constitute the personal information as set out in the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended)(hereinafter referred to as the “APPI “). However, even in such cases, depending on the relationship with other information held by the service provider in question, it is possible that the information may become personal information, so each application and service provider is required to specifically verify the information and appropriately operate it in accordance with the APPI and other relevant laws and regulations.

(3) If the business involved in the application is a business operator handling personal information, it is particularly important to note the following matters from the perspective of compliance with the provisions of the APPI. In addition, it is desirable to make these matters public in order to ensure transparency in the operation of the app and to gain the trust of users.

  1.  Is the purpose of use of the personal information to be obtained specified as specifically as possible and clearly stated in an easily understandable manner to the user, and is the consent of the user obtained in order to obtain personal information requiring special care or to provide the personal data to a third party? (e.g., position of the app in the overall infectious disease control system, statement that personal data will be collected for infectious disease control, purpose and method of use of each data item, third party provider of data and the reason for this, purpose and method of use of the third party provider, etc.)
  2.  Is the company acquiring data that is not necessary for the purpose of use or providing it to a third party that is not necessary?
  3.  When there is no longer a need to use the acquired data, is the data to be deleted without delay? (e.g.) Is the retention period for concentrated contact history data set at an appropriate length from an epidemiological point of view, and is it ensured that the data is erased after this period has elapsed?
  4.  Are data security management measures and supervision of employees and contractors properly implemented?
  5.  Does the company have a system for accepting inquiries and complaints from users?