Fair Information Practices are the backbone of privacy laws worldwide, including the European Union privacy protections. TraceFi and the Harvard University Health Services (HUHS) Contact Tracing Option on MyDataCan were designed to adhere to the following Fair Information Practices.
The minimum collection practice: collect only what is necessary to accomplish the task.
TraceFi sensors only capture signal strength and MAC address and record the date and time of the recording. These three pieces of information (signal strength, MAC address, and date-timestamp) are the only information collected. These are the minimum information needed to help the human contact tracer.
The specific information provided to human contact tracers from the HUHS Contact Tracing Option on MyDataCan varies by the type of location information captured. Only the the minimum information about duration, location and a measurement, if known, are provided. This parallels the kinds of information provided to TraceFi. If a MyDataCan user does not select to use the HUHS Contact Tracing Option, none of that user's data forwards to contact tracers.
The minimum sharing practice: shared information is the minimal information needed to accomplish the task.
The only information shared from TraceFi or the HUHS Contact Tracing Option on MyDataCan is with a human contact tracer in the service of a specific positive tested person. TraceFi only provides the date and time, duration, location, if known, and collocations for each of the person’s devices. The human contact tracer then reviews exactly this information with the positive tested person to make a determination about who may have been infected.
The limited time practice: keep personal data no longer than is needed to accomplish the task.
Contact tracers need only go back for the last 14 days, so only the last 14 days of information is kept in TraceFi and only the last 14 days of information is made available to contact tracers through the HUHS Contact Tracing Option on MyDataCan for those MyDataCan users who opted to be included in contact tracing.
The access practice: the person who is the subject of the data should have a copy of their data.
MyDataCan is architected around the principle that the person who is the subject of the data is in control of a copy of their data. Each app and service on the MyDataCan platform therefore stores a copy of the person’s location information into the person’s own private storage on MyDataCan. This copy is under the control of the person, who can opt to share their information with human contact tracers.
A person can receive a copy of their own TraceFi data in their private storage on MyDataCan. This option is available on MyDataCan. This copy is for the person’s own use and is independent of the copy maintained in TraceFi for up to 14 days. The person’s copy in MyDataCan is not subject to the 14 day limit.
The accuracy practice: individuals should be able to make corrections to their own data.
The human contact tracer receives proximity and collocation information from TraceFi and from the HUHS Contact Tracing Option on MyDataCan specific to a case of a positive tested person and for the purpose of reviewing the retrieved information with the positive tested person, who can attest to its accuracy and whose attestations are the basis for the determinations of likely infections to others.
Accountable and Transparent
The accountability and transparency practice: the ability to audit any accesses made to the data.
Each access to TraceFi data is recorded in an immutable log that is not accessible to the Data Privacy Lab which provides it, but whose contents are available to others for monthly review and audit and reported to the University Electronic Communications Policy Oversight Committee which makes public summaries.
Each access to data from MyDataCan under the HUHS Contact Tracing Option is logged in the person’s private storage. This allows the person to know whenever a contact tracer requested the person’s data. Similarly, if a person elects to have a copy of their TraceFi data copied to their private storage on MyDataCan, any requests of the person’s TraceFi data will also log in the person’s private storage.
The consent practice: individual participation is optional.
A person can opt-out of TraceFi and the TraceFi sensors will not capture information from the person’s devices and the person can still use Harvard’s Wi-Fi. A person can also turn Wi-Fi off on their devices (but then those devices would not be able to use Harvard’s Wi-Fi).
MyDataCan is opt-in and so is the HUHS Contact Tracing Option. A person does not have to participate in contact tracing to use MyDataCan and a person can stop using MyDataCan or the HUHS Contact Tracing Option at anytime.
The security practice: technologies comply with stringent security practices.
Both MyDataCan and TraceFi store and process information compliant to Harvard’s highest online security level (Level 4). In addition, both systems have routine security audits and tests.