We talk a lot in Castlebridge about how trust is essential. Understanding the value of data and communicating the benefits of the outcomes of your process or programme are very important to get people to buy in to your vision. Whether your vision is your data strategy, building Data Governance in your organization, or getting people to consent to you processing their personal data. Today, it’s nice to be able to look at a success story. As critical as I have been in the past of various government initiatives on personal data use, I’m very happy to be able to point to a positive case where a transparency, communication, and design building data protection considerations into the development of a project have resulted in positive outcomes that has gotten global attention.
The COVID Tracker success story
In the months preceding the launch of Ireland’s “COVID Tracker” exposure notification app, there was a great deal of conversation around the possible risks and benefits of the data processing involved in using mobile phone technology to support manual contact tracing efforts. One very large concern with the potential usefulness of any such app is data subject buy in. If a sufficient proportion of the population do not download and use the app, it will not be able to fulfil its purpose even partially.
In the wake of the loss of trust in “The Government” processing personal data thanks to missteps such as the “Mandatory but not Compulsory” public services card, the Health Services Executive faced extra challenges. They had to build trust where trust was already reduced to convince the Irish public to download a contact tracing app. Especially when examples of other countries having serious privacy issues and functionality failures were in the news. The HSE needed to convince civil liberties advocates and privacy practitioners that they had taken into account risks and compliance concerns that might be raised to the regulator. They also had to convince the public that they could be trusted with potentially very sensitive data, and that it was worth it to allow this data to be used.
How much is your data worth?
Looking at data from a data governance and strategy perspective, this is a key principle of Data Governance . . . recognizing data as a valued and strategic asset, and communicating that to your stakeholders. For people to buy into your vision, you need to be able to identify and communicate the value of the outcomes of your data processing. Transparency and communication are key to trust and buy-in, and the HSE and app developer Nearform performed admirably here.
For general public information, they used clear plain language and layered communications design to explain the app, its potential benefits, and how it works in clear plain language. They responded to the concerns of people with more specialized knowledge with full transparency. This meant releasing the code for review as recommended by the EU Toolkit for Compliance and the European Data Protection Board and requested by the ICCL, and publishing a comprehensive Data Protection Impact Assessment, comments from the Data Protection Commission. They also released reports on how the DPC and EDPB’s recommendations have been incorporated into the design.
Transparency builds trust
Trust is difficult to build and easy to lose, and it’s clear that the people leading the project understand this. The transparency in the published documentation makes it clear that the people involved in the HSE-led collaboration understood the critical need to prove trustworthiness and get it right. The care taken in development and the clear explanations the developers give for their move from a centralized design to a decentralized design based on the Apple/Google API and ensuring the possibility of interoperability show that the developers understood that trust is essential to the success of the project.
From a buy-in perspective, the KPI is whether the Irish public were willing to download and use the app. That seems to be a global success story so far. In the first week of the app’s launch, 30% of the population had downloaded it.
Measuring data quality
Another key issue in identifying the value of your data is in its use — ensuring that you have the required information to validate that your data is fit for purpose and that the process works. This is something that the EU Toolkit for compliance for COVID-19 apps identified as “Monitoring the effectiveness” of applications. The HSE set a 90 day period from the launch of the app to determine whether the exposure notification works well enough to justify collecting the data.
The developers identified required metrics, so that they can provide statistical information as to whether the app succeeds in doing what it’s designed to do, which helps answer whether or not it can meet necessity and proportionality requirements for compliance. This also means that when journalists ask whether apps built on Data Protection by Design principles are working, the HSE can respond that “A total of 58 users registered positive tests in the app’s first three weeks of operation through to July 28, generating 137 close contact alerts. Of these, 129 opted to get a follow-up call from Ireland’s contact tracing team.”
What is the value of the app? The way it’s described is modest but describes a clear outcome in human terms: the KPI for success is breaking even a handful of chains of transmission of the disease. In other situations this KPI could be too fuzzy to determine proportionality, but when counting human lives and risk of exponential transmission, it’s a convincing argument that while it may not be perfect, it may be fit for purpose when other risks are minimised.
It’s also a clear reminder that when we talk about data processing and value, we must always remember that we are talking about impact on human lives and human dignity.