[ad_1]
On Friday, FHI received a decision on an order from the Norwegian Data Inspectorate related to the Smittestopp app.
There are two orders: one is linked to treatment protocols that meet the requirements of Article 30 of the Privacy Regulation, and the other is related to deficiencies in the documentation on risk and vulnerability analysis.
In the treatment protocol, the purpose of stopping the infection is stated as “digital infection monitoring”. This is not considered accurate enough.
– The app actually has several purposes, like tracking and alerting about covid-19 infection, monitoring population movements, analysis work and research. The protocol should also indicate what these data are used for, that is, the purpose of the Infectious Disease. It doesn’t seem like we’re sufficiently described, says Bjørn Erik Thon, director of the Norwegian Data Inspectorate at NRK.
– Should we be concerned about who is using the app? Is it still safe?
– We go in and look at many pages of this application. We say the same now that when the app launched, it’s important that you get all the information and understand what it means to download the app so that people can make their own opinion about this is something they want to be with or not
– That recommendation has not changed, although we have now written this letter to FHI, says Thon.
Various purposes
The Danish Data Protection Agency writes that it does not appear in the processing protocol for FHI that the application has several different purposes.
The FHI CEO responds to the following criticisms:
– We emphasize that the two purposes of the application are communicated consistently in all communications related to the application, both in the privacy statement, the privacy impact assessment (DPIA), news cases and online texts , in interviews and press conferences. The two purposes of the application are also enshrined in the regulations. The fact that this is formulated for the superior in the treatment protocol should, of course, change immediately, interim assistant director Gun Peggy Knudsen of FHI says in the press release.
Lacks documentation on vulnerability
The second order is linked to the lack of documentation on risk and vulnerability analysis.
– The Norwegian Institute of Public Health has not documented that these necessary evaluations of key parts of the solution were made before Smittestopp was acquired and made available to the public, Thon says.
He emphasizes that this is the first step in controlling the Authority.
– Among the things that we will see now in the next round are, among other things, why FHI has chosen to use both the GPS and the blue tooth when locating itself in this application. This is contrary to recommendations coming from the Privacy Policy Council, the umbrella organization in which the Danish Data Protection Agency is also a member, Thon tells NRK.
The Institute of Public Health believes that they have made careful assessments of vulnerability and risk in the application.
– We agree with the Data Inspection that the purpose of a risk and vulnerability analysis (ROS analysis) is to discover risks and vulnerabilities before new solutions are implemented, and we believe that we have fulfilled this. As the Norwegian Data Inspectorate points out, we have assumed a gradual development of the ROS analysis, in line with when parts of the total solution will be used, Gun Peggy Knudsen at FHI says in the press release.
She notes that the analysis was done before the app launched.
Because FHI wanted to create a single analysis document in each municipality, it took a while to establish a single document. This document, with ROS analyzes, will now be sent to the Data Inspection.
– The documents have not yet been sent to the Data Inspection because we wanted to have a single document after the step-by-step introduction in the municipalities, but now we are sending these risk and vulnerability analyzes, and we will present the final documentation that includes analysis and anonymisation within the deadline, Knudsen concludes.
– More concerned with starting an application quickly
Jon Wessel-Aas is one of Norway’s most experienced media law attorneys and says it is good for the Data Inspectorate to carry out such monitoring.
– According to the Danish Data Protection Agency’s description, the alleged deficiencies illustrate that FHI has been more concerned with launching an application quickly than with quality assurance in terms of security and privacy, Wessel-Aas told NRK.
Originally, FHI communicated in a way that could give the impression that the application was approved by the Norwegian Data Inspectorate, Wessel-Aas explains. He thinks this is a bad thing, as the app barely completed when it launched.
– The app’s marketing just didn’t match the realities, says Wessel-Aas.