The Office of the Information and Privacy Commissioner of Alberta (OIPC) released a report July 9 on its review of the ABTraceTogether privacy impact assessment (PIA).  

Information and Privacy Commissioner Jill Clayton, says, “While I am not in a position to endorse a particular technology solution, we found Alberta Health was mindful of privacy and security in deploying the app.”  

The positives of the report are the app’s “clear purpose to supplement already established contract-tracing processes, AHS’ consent-based approach, limited collection of health or personal information when registering to use the app, and AH’s efforts to mitigate the risk of secondary use of information collected by the app, specifically for quarantine enforcement.” 

On the other hand, the report shows issues with how the app runs on Apple devices. A security risk is created by having to run the app in the foreground, requiring the device to stay unlocked. If the device was lost or stolen, it would already be unlocked. Unfortunately, this issue is out of the control of AHS. 

The risk is greater for those in the public, health and private sectors that have obligations to reasonably safeguard health or personal information under Alberta’s privacy laws. 

“The OIPC accepted the ABTraceTogether PIA with recommendations. Acceptance of the PIA acknowledges that AH has taken reasonable steps to protect privacy. Acceptance is not a waiver or relaxation from legislated requirements.” 

The OIPC wants the inconsistencies clarified between documentation provided during the PIA review and what is made available publicly. They also recommend AHS continue their public reports on the app’s use and effectiveness and they plan for dismantling the app when it is no longer needed.