10 October/14 July 2020 – Policy Brief
Summary of request/problem:
The Swiss National COVID-19 Science Task Force has made a request to the FOPH to include some additional questions on the use of the SwissCovid App into the minimal data set for contact tracing. The Task Force proposes to add the following questions:
For persons who are identified or self-identify as contacts:
Are you using the SwissCovid App? Yes/No/No Answer
If above is answered with yes:
Date of SwissCovid app exposure notification (if any)
Did you call the SwissCovid Infoline upon notification? Yes/No
Date when the Infoline call was made
For persons with positive SARS-CoV-2 tests:
Are you using the SwissCovid App? Yes/No/No Answer
If above is answered with yes:
Did you upload the CovidCode to the app? Yes/No/No Answer
If yes: Date of upload of CovidCode (CovidCode is the ID issued by the cantonal physician upon positive test)
Date of earlier SwissCovid app exposure notification (if any)
Did you call the SwissCovid Infoline upon notification? Yes/No
Date when the Infoline call was made
The FOPH made an internal legal assessment of the request to include these questions into the minimal essential data to be collected by contact tracing and came to the conclusion that there is not a sufficient legal basis that would allow the collection of such data.
Collecting these data is allowed in the context of anti-pandemic measures, for the following reasons:
- The collection of anonymous data does not raise legal concerns. The collection and processing of personal data relating to the use of the SwissCovid App constitutes a restrictionon the fundamental right to informational self-determination (Art. 13 para. 2 Swiss Federal Constitution). Such a restriction is only justified if based on a legal basis and a public interest and when it is proportionate (Art. 36 Constitution).
- Serious restrictions on fundamental rights must be provided for in a formal law, i.e. be adopted by a parliament. For minor restrictions on fundamental rights, any legal basis (e.g. an Ordinance) is sufficient. In addition, minor restrictions on the right to informational self-determination can also be based on an indirect legal basis. In such cases, a legal basis clarifying a specific state task also serves as a legal basis for the data processing necessary to fulfil the task.
- The collection and processing of data related to the use and efficiency of the SwissCovid App does not constitute a serious restriction of a person’s informational self-determination, as it does not require the processing of sensitive personal data. Therefore, it does not need a formal enactment as a legal basis, but can be regulated in an Ordinance. The data processing can also be based on an indirect legal basis.
- The Epidemics Act and the Ordinance introducing the SwissCovidApp can both serve as an indirect legal basis for the collection of data related to the use of the App. As the SwissCovid App is a supporting element in the strategy for control and prevention, information on the use and efficiency of the App is important in order to derive conclusions on how to optimise the tracing strategy. The collection of such data does not directly serve to analyse the effects of infectious diseases. It is therefore not health-specific data. However, findings on how to improve the tracing strategy are incorporated into the fight the pandemic. At the same time, they can also form the basis for adopting more appropriate health policy measures in relation to the tracing strategy. The collection and compilation of data on the use of the programme is therefore indirectly covered by the Epidemics Act and the ordinance introducing the SwissCovidApp.
- In addition, no legal basis is necessary if the subject of data consents to the collection and use of the data. As long as the questionnaire asking about non-sensitive data clearly states that the person is not obliged to answer the questions and that answers will be used for research, all considerations about the legal basis are therefore vain:
In such a case, the consent of the person freely sharing non-sensitive data replaces the law.
As the evaluation of the SwissCovid App is not research, the Human Research Act (HRA) does not apply. The non-applicability of the HRA also results from the fact that the answers to the questions about the use of the App do not provide any information about diseases or the structure and function of the human body. Should the data collected subsequently be used for research purposes, the applicability of the HRA would have to be examined at that time and, if necessary, the necessary approvals would have to be obtained.
Collecting and Processing Data related to the Use of the SwissCovid App
In response to the request of the task force, the issues of the legal basis for such questions was raised. This policy brief aims at answering this question.
Unfortunately, the issue is complex, as are almost all issues relating to data protection. The complexity begins with the question of the applicable law. When federal authorities collect data, they are subject to the Federal Data Protection Act (DPA). When cantonal authorities act, they are subject to the data protection law of their respective canton. This is also the case if cantonal authorities do not enforce their own cantonal law but implement federal law (and act “on the orders” of the Confederation). If the Confederation lays down reporting obligations which the cantons implement, both laws are applicable: the DPA for the Confederation and the Data Protection Act for the canton acting in each case. However, the consequences are less drastic than they appear: cantonal data protection laws are largely identical to the federal DPA. For that reason, we will only refer to the legal requirements laid out in the DPA.
In addition to the general data protection laws, specific laws also apply, in this case mainly the Epidemics Act and, under certain circumstances, cantonal health legislation. These laws concretize and supplement the general principles of data processing for their area and often provide legal bases for individual data processing operations.
If data is processed anonymously, there is no interference with the right to privacy and the Data Protection Act does not apply.
Considerations under general data protection law – the legal basis for processing data related to the SwissCovid App
Federal (and cantonal) collection and processing of personal data require a legal basis. How specific this must be (how precisely the law defines the envisaged data processing) depends on the circumstances, especially on the potential risk associated with data collection.
For minor interference, any legal basis (e.g. an Ordinance) is sufficient. Serious restrictions on the fundamental right to informational self -determination must be provided for in the law itself (this can be a federal law or a cantonal law). Serious encroachment occurs when data requiring special protection is collected or processed (e.g. data concerning health) or when data processing allows for the creation of personality profiles on the basis of data related to individuals.
According to the DPA, the following personal data are sensitive and require special protection: data on religious, ideological, political or trade union-related views or activities; health, the intimate sphere or the racial origin; social security measures; administrative or criminal proceedings and sanctions (Art. 3 lit. c DPA). Data are sensitive when they fall under this definition, not when a person or authority considers an information as sensitive. Data concerning the use of the Swiss Covid App are not sensitive; hence, their collection only constitutes a minor interference with the right to privacy. The use or non use of the App or the fact that a person has or has not received a notification gives no information about the person’s health; in all situations, the person can be infected with SARS-CoV-2 or healthy. The fact that a person has received a notification and has not called the infoline is not a sensitive information either. As the use of the App is purely voluntarily, the decision not to call the infoline does not stigmatize a person (and hence cannot be compared to date on social security measures or criminal proceedings). At the same time, these data are eminently important to assess the App and to better understand its potential to support contact tracing.
The question of whether or not a person uses the SwissCovid App (and how) does not constitute a serious restriction on the informational self-determination of a person. It is not about the processing of data concerning the health of the person. Any legal norm, including ordinances, can thus serve as a legal basis.
In its dispatch on the Data Protection Act, the Federal Council took the view that the requirements regarding the legal basis should not be too strict (Dispatch DSG, BBl 1988 II 413, 467). In the area of simple data processing (as long as it does not involve the processing of sensitive data), it is sufficient that the data processing has a clear factual connection with the task of a federal authority (this then already constitutes a sufficient indirect legal basis). In the case of an indirect legal basis, the law defines the task and thus also permits the simple data processing that is necessary to fulfil the task (BELSER/NOUREDDINE, 2011).
Regarding information on the use of the SwissCovid App, the authority collecting the data is fulfilling tasks which are defined in the Epidemics Act (see below). Hence, the Epidemics Act can serve as an indirect legal basis.
Another line of argument consists of referring to the Ordinance allowing the use of the «Swiss Proximity-Tracing System». The App was first introduced as a pilot project and is now based on the Ordinance on the Proximity Tracing System for the Sars-CoV-2 coronavirus which entered into force on 25 June 2020 and will apply until 30 June 2022. Even though the Ordinance (PTSO) does not regulate the collection and processing of data related to the use and efficiency of the SwissCovid App in an explicit manner, there is a clear factual connection to data processing (see below). The Ordinance thus constitutes an alternative indirect legal basis which is also sufficient.
It follows from the above, that questions related to the use of SwissCovidApp can be raised based on an indirect legal basis.
Even if these indirect legal bases did not exist, it would still be possible to ask questions related to the use of the App. This is due to the fact that in exceptional cases, personal data (even particularly sensitive data and personality profiles – but a fortiori all other personal data) may be processed without any legal basis. This is the case in three situations (Art. 17 para. 2 Data Protection Act):
- if the data processing is essential for a task clearly defined in a formal law (a formal enactment);
In this case, the task is provided for in a formal enactment (in the Epidemics Act). The purpose of this law is to prevent and combat the outbreak and spread of communicable diseases (Art. 2 para. 1 Epidemics Act). It also provides for measures that allow to monitor communicable diseases and provide “basic knowledge about their spread and development”, as well as measures that are intended to induce individuals, certain groups of persons and institutions to “contribute to the prevention and control of communicable diseases” (Art. 2 para. 2 lit. a and lit. c Epidemics Act). It thus seems obvious that the data on the use of SwissCovidApp is covered by the tasks of the Epidemics Act. More difficult to answer is the question whether it is also “essential”. However, it should be noted, that the requirements for the definition of the tasks are less strict if – as in the present case – less sensitive data are involved. In this case, the essentiality or indispensability of the data collection is not required (WALDMANN 2011),
Under these circumstances, it can be assumed that the Epidemics Act permits the collection of data if it serves the purposes of the Act and the data concerned are not particularly sensitive. This means that the present data processing is also lawful under the Data Protection Act.
Alternatively, the Ordinance on the Proximity Tracing System for the Sars-CoV-2 coronavirus allowing the use of the «Swiss Proximity-Tracing System» during the pandemic crisis and latest until 30th of June 2022 can also serve as an indirect legal basis.
- if the Federal Council authorises processing in an individual case because the rights of the data subject are not endangered; or
Without further ado, it would be possible for the Federal Council to authorise data processing in individual cases if this did not endanger the rights of the data subjects, which can be excluded in the present case. The purpose of the exception is precisely to allow data processing for short-term needs. (WALDMANN, 2011)
- the data subject has given his or her consent in an individual case or made his or her data generally accessible and has not expressly prohibited its processing.
A legal basis is not required if the data subject has given his or her consent to the data processing. This requires that consent is given voluntarily and informed and that the institution processing the data informs the data subjects in a timely and comprehensive manner about the intended processing of the data. This information would have to be included on the questionnaire.
Consent is not bound by any form: It may be given in writing, orally or by implicit behavior. In the case of sensitive data requiring special protection, the authorities must not take consent lightly. In the present case, however, such data is not at issue. It is reasonable to presume that a person gives his or her implied consent to data processing (concerning non-sensitive data) if he or she answers yes or no to a question that he or she could just as well not answer. As the question is to be raised in the following manner “Are you using the SwissCovid App: Yes/No/No Answer” answering the question is implicitly consenting to sharing this data.
Consent could even more easily be used as a replacement for a legal basis, if the contentious questions would be preceded by an introductory remark. This remark would have to inform the data subjects concerned that the questions do not need to be answered and that any answers would be used for the purpose of evaluating the app.
Further considerations – other provision that might constitute a legal basis for processing data related to the SwissCovid App
The Epidemics Act provides for the exchange of research results, expertise and information between the competent federal and cantonal authorities (Art. 10 Epidemics Act). However, this provision only concerns the exchange, but not the collection of data.
However, the provisions on reporting obligations must also be considered. According to these provisions, the Federal Council may stipulate the obligation to “report on prevention and control measures and their effects” (Art. 12 Epidemics Act).
The SwissCovid App is one of the measures used by the Confederation to prevent and combat the pandemic (to support traditional contact tracing). It could therefore easily provide for its effects to be determined and the relevant information to be reported.
According to the Epidemics Act, the Federal Council is in any case responsible for defining “observations of communicable diseases that must be reported, the reporting channels, reporting criteria and reporting deadlines” (Art. 13 Epidemics Act).
The Federal Council could easily determine that the question of whether and how the SwissCovid App has been used is to be considered as a notifiable observation under Art. 13 Epidemics Act.
Finally, the FOPH could conclude agreements “for epidemiological surveillance and research purposes” with cantonal physicians, as well as with doctors, laboratories, hospitals and other health care institutions, which provide that observations that are not subject to the reporting obligation must be reported to a body designated by the FOPH. These reports must be anonymised (Art. 14 of the Epidemics Act). In this case, only the total number of people who used the app would have to be reported, but not their identity.
However, even under the Epidemics Act, it is questionable whether an amendment to the reporting obligations by the Federal Council or agreements with the FOPH is even necessary. The competent authorities are responsible for carrying out the necessary epidemiological investigations, and in particular for clarifying “the nature, cause, source of infection and spread of an identified or suspected disease” (Art. 15 of the Epidemics Act). In order to clarify the sources of infection and its spread, it is undoubtedly useful to examine the use of the App and its effectiveness.
Such voluntary data collection is also consistent with the National Advisory Commission on Biomedical Ethics’ position paper on Digital contact tracing, which states that “From the outset, the implementation of the measure is to be evaluated in depth with regard to effectiveness, subsidiarity and proportionality.” (National Advisory Commission on Biomedical Ethics, 2020).
When collecting data regarding the use of the SwissCovid App, the Human Research Act (HRA) does not apply. This for the following reasons, as outlined in the annexe:
- Collecting these data does not constitute research.
- Even if it did, collecting data on the use of the SwissCovid App would not constitute research with human participants in the sense of the HRA.
- Information on the use of the SwissCovid App does not constitute health-related information.
- The constitutional basis of the HRA does not allow a broad interpretation of «research» in this case.
Once these data are collected, it is of course possible that they could be used for research purposes. In such a case, the HRA could apply and ethics review would therefore have to be obtained from the appropriate Ethics Review Commission.
BELSER/NOUREDDINE, in: Belser/Epiney/Waldmann, Datenschutzrecht. Grundlagen und öffentliches Recht, Bern 2011, § 7 Rz. 79
National Advisory Commission on Biomedical Ethics: “Contact tracing as an instrument for pandemic control – central considerations from an ethical perspective”. Bern, 2020
WALDMANN, in: Belser/Epiney/Waldman, Datenschutzrecht, Grundlagen und öffentliches Recht, Bern 2011 § 12 Rz. 53