5 Messages about Transparency, Data Protection & Statistics

1. The Data Protection (Jersey) Law 2018 does not stand in the way of our community working together during the Covid-19 pandemic, including the sharing of data with volunteers and support organisations. Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate and limited to what is necessary to carry out the particular function (don’t collect more than you need to carry out your task).

2. Anonymised data, which prevents the identification of the individual to whom it relates, can be used for statistical purposes. Anonymised data can be considered effectively and sufficiently anonymised if it does not relate to an identified or identifiable natural person or where it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable. In those cases, the data doesn’t fall under the data protection law because no individual can be identified.

3. The Data Protection (Jersey) Law 2018 permits processing (including disclosure) of personal data in cases where it is deemed necessary for the protection of public health so long as there are appropriate safeguards in place to protect the rights and freedoms of data subjects.

4. Be careful what you share online. Things aren’t always what they seem and the ‘facts’ may not come from legitimate sources. Spreading false information can be harmful so you should rely on official sources for information (such as the gov.je website) and not promote information that appears dubious or comes from a questionable source.

5. Tracking, tracing and proximity Apps

• Firstly, systems and App developers and authorities should set out a very clear purpose of what the App is intending to achieve. Is it being used just for Covid-19? Alternatively, is the intention to expand its use to cover other things once the pandemic is over? You must be explicit about how long you are going to be collecting and using data for and what you are going to do with the information collected.
• Only the personal data that is absolutely necessary to achieve the intended purpose should be collected.
• Personal data should, wherever possible, be anonymised or pseudonymised, or aggregated so it breaks the link between the person and the data.

It is critical that technologies do not remain active once these emergency powers cease or once the pandemic is over, and a clear sunset clause setting out the likely expiration date for the tracking App must be identified prior to any processing and reviewed on an on-going basis. If the need for the App ceases earlier than anticipated, it should not be kept ‘live’ just in case; as soon as the information is no longer needed you should stop collecting it.

• Adequate guarantees of security of personal data must be given, remembering too that medical data is considered as special category data under the law.

Engendering public trust is critical if the desired objective is to be achieved and transparency is essential for ensuring and proving that the system or App functions as it was intended and advertised.