COVID Alert App Postmortem — Part 5, Enter The Commissioners
Oversight for Effectiveness But Where?
Please see the previous pieces in this series and this recent oped in the Toronto Star
Who Should Be Holding Health Canada Accountable?
In trying to figure out who should be holding Health Canada accountable for shutting down the broken COVID Alert app, I had mostly been focusing on the (now disappeared) COVID-19 Exposure Notification App Advisory Council. As written previously, part of their remit was to help Health Canada figure out how to wind the app down and to destroy related data, as per the terms of reference of the group.
So they were supposed to be doing this and are now gone. There is further future analysis to do on this whole piece, but for now, we’ll say that this one mechanism for oversight and pressure and accountability has failed.
Enter the Commissioners — Ontario
As I’m using the province of Ontario as the example for this informal postmorterm, I tripped over the Information and Privacy Commissioner (IPC) of Ontario. In trying to map the basic fundamentals of how information and data is/was moving from the federal and provincial bodies, I came across an endorsement of the app from the IPC of Ontario, which was done jointly with the federal privacy commissioner. In the statement from the IPC of Ontario was this, in italics:
“While today’s launch of the COVID Alert app marks a significant milestone in the fight to control the spread of COVID-19, the IPC’s work will not stop here. We will continue to monitor that the app is implemented for its intended purpose, that its safeguards are applied as designed to protect privacy, and that its collection and use of personal information continue to be necessary and effective in helping curtail the spread of COVID-19 in Ontario.”
This “we will continue to monitor the app” part, that really doesn’t seem like it’s happening. So to the advisory council, we can now add the IPC of Ontario as an institution that was supposed to be on monitoring and oversight duty.
The reason I got in touch with the IPC of Ontario in the first place was not so much this accountability part as it was that they must have information about the workflow used in Ontario to get the one-times keys out. I am still waiting for a reply from them on this front, to try to map the process that went between the public labs where tests were done, the web portal (lab results viewer) where people got their codes, and the federally managed app.
If they endorsed the app, they must know exactly how it works on the provincial side. This is information we all need to have public access to, and from my adventures so far, the transparency we have federally on how the app works does not carry over to how the province is/was operating.
And before we leave the province, note also how they talked about the need to “monitor that the app is implemented for its intended purpose”. This “intended purpose” part is important too.
Enter the Commissioner — Canada
The July 31 2020 endorsement from the Information and Privacy Commissioner of Ontario was done jointly with the Office of the Privacy Commissioner of Canada. From the July 31 2020 statement, in italics:
“To meet the necessity and proportionality principle, both governments must monitor the app’s implementation and effectiveness and independent oversight will be important to foster public trust. The government of Ontario will continue to be subject to Ontario’s privacy laws and ongoing oversight by the IPC.”
And then later we find commitment to an audit at the provincial level, which is something to seek out, because this audit speaks to assessing effectiveness:
“The federal government has agreed to involve the OPC in an audit of the app after it is up and running. The audit will include ongoing analysis of the necessity and proportionality of the app, including its effectiveness, and an assessment of respect for the federal, provincial, territorial joint statement principles in the design and implementation of the app.”
Monitoring and Oversight for Effectiveness
One last thing from the Office of the Privacy Commissioner of Canada, emphasis mine:
“The governments of Canada and Ontario have sufficiently demonstrated that the application, although new and untested, is likely to be effective in reducing the spread of COVID-19, as part of a broader set of measures that includes manual contact tracing. However, because the effectiveness is uncertain, the commissioners recommended that the implementation of the app be closely monitored and that the app be decommissioned if new evidence indicates it is not, or is no longer, effective in achieving its intended purpose.”
So here we’ve got the explicit recommendation that if the app is not working it needs to get shut down. This makes three for groups/institutions that should have been part of the oversight for efficacy and shut-down: the advisory council, the Information and Privacy Commissioner of Ontario, and the Privacy Commissioner of Canada.
Necessity and Proportionality
These two terms — necessity and proportionality — used by the federal commissioner, jumped out at me. They were familiar because they are a part of the framing that my colleague Sean McDonald used in our May 2020 piece that sought to consider what proactive policy for these kind of apps would look like if policy was created before the apps were launched.
One particular part from that piece stuck out now that we’re a few years into it, from the necessity section, emphasis mine: “As is often the case with new technology, COVID-19 response technologies have largely been framed around their theoretical potential as opposed to their proven impact — what they might be able to do rather than what they actually do.”
This gap of hopefulness is one that can be monitored and should have been informing decisions by Health Canada and others along the way. It was clearly stated as necessary by the commissioners. What they did to make sure it was happening, or what they did themselves to make it happen, is still unclear. But what we’ve got now is two more parties — the federal and provincial privacy commissioners — that clearly stated the need for oversight and monitoring. They, like the council, have been quiet too.
I’m not well acquainted with how these commissioners function. One part of their model, which appears to create severe access to justice problems, is that people need to approach them if there is an issue, to instigate action. That they don’t just act without a prompt. I’ll be exploring if/how to create that prompt in weeks ahead.