With most of the U.S. having been under some form of “Stay at Home” restrictions for over a month, many of us are grappling with the question of how to manage the transition back to the new normal. As many think about businesses, our school systems are becoming a more burning question. First, as children get the mildest of symptoms and are even less inclined to naturally observe social distancing than adults, not addressing the fact that children could be a prime vector for community retransmission recasts the societal problem that the schools face in a whole new light. Putting on my cybersecurity and privacy attorney cap (and face mask, of course), I cannot help but wonder at the liability implications for schools that do not take reasonable transmission mitigation efforts and, as a result, unleashes a fresh new wave of COVID infection on their community. For many, this concept seems ludicrous….how can schools ever be held liable for parents wrongfully sending children to school. On its face, yes, but lawyers will be debating what is, in fact, “reasonable mitigation” for years to come and the actions that were or were not taken (and their consequences for community retransmission) will look very different in the rear view mirror.
Enter contact tracing apps….the key to the future or is it really that easy? For starters, any tracking system that monitors personal health information in the US would have to follow HIPAA requirements which dictate how this information can be collected and used, as the Department of Health and Human Services has only issued narrow guidance providing for limited discretion in relaxing HIPAA requirements related to community testing sites. FTC’s Children’s Online Privacy Protection Rule imposes additional restrictions on the online storage of information related to minors and certain states, like California, impose additional privacy requirements respecting the collection of information relating to minors.
From a technology perspective, GPS type applications are simply useless in a classroom environment as that technology cannot achieve the requisite accuracy. Bluetooth is more accurate, but has its share of security vulnerabilities when used by smartphone apps. We have seen companies, like Volan Technologies, deploy more favored AI-based technologies in smart sensors that use precise-location positioning, micro-geofencing, and proximity detection to enable private contact tracing (we also like that their systems can trace both live and historical exposure and automatically send risk alerts).
Enforceability will, of course, raise its own headaches. Would the application be mandatory? Will parents be able to withhold consent? What happens if they do?
Irrespective of what system a school system deploys, there are other key data security considerations, such as:
Architecture: What technology (e.g. Bluetooth / GPS) and security protocols will be adopted? How will the data be encrypted? Where will it be encrypted (the right answer must consider the threat model)? What is the key management process for encrypted data?
Data Access/Purpose: Who will have access to the data collected (government, health authorities, academia, police, private companies, other app users)? What can the data be used for by these parties? How can the storage of sensitive information be minimized?
Categories of data collected: Will the app collect the user’s name and contact details, their geolocation data, whether they are showing symptoms and / or have been tested positive for COVID-19?
Data retention: How long will the data be retained for? Will it be anonymized? When will it be deleted?
Data storage: Where will the data be stored? How secure is that storage?
Legal basis: What will be the legal basis for processing the personal data? Will the app rely on user’s consent or use public interest as a basis for processing?
Quality of data: How will information relating to COVID testing be entered? Will it treat a positive test differently than showing symptoms?
Stay healthy. Stay distant.
Tags: #ContactTracing #COVIDSchool