The new Covid-calculator with many open questions about users’ privacy

01.02.2021

In Focus

The new Covid-calculator with which users can calculate their so-called covid-age or what is their risk of getting infected with Covid -19, although it can serve as a useful tool, leaves open many questions regarding the privacy of the data of those who will use it.

The Covid-calculator was developed by the Macedonian Occupational Safety and Health Association (MOSHA) in cooperation with the Institute of Public Health (IPH), where they announce the establishment of a knowledge center “Epi Covid-19 OSH Center”.

“The test results are individual, and to obtain them it is necessary to enter parameters for certain diseases, as well as age, height and weight. The basis for this tool is the biological age of the patients/workers because the evidence so far indicates that it is the highest risk factor for complications and death from Covid-19,” said the MOSHA.

In addition to the date of birth, height and weight, the tool requires the name and surname, municipality as well as data on previous illnesses and chronic diseases.

The Occupational Safety and Health Association says that covid-age works on the principle of “translation” of an individual health risk factor into years, which are added (or subtracted) from the current biological age of the person. This gives an “expected age” that assesses the risk, whether a person will get the disease and what the further expected outcome of the disease would be.

This publication entitled “Occupational Risk Assessment for Exposure to Sars-Cov-2 Virus” is published by MOSHA and is available at this link.

Elena Stojanovska, an analyst in the field of personal data protection from the Metamorphosis Foundation, says that there is undoubtedly a great benefit from the calculator in terms of informing citizens about the potential risk of infection with Covid-19, according to their previous health conditions. But from a privacy protection point of view, several questions arise regarding the settings of the calculator.

The first problem that is noticed upon opening the tool is the insecure connection http://62.162.94.3/covid-calculator/ and the fact that is not connected to a domain, thus it does not provide information about the owner of the tool.

“Given the fact that the analysis is relevant only if the questions about the previous health condition are answered correctly, their scope is justified. However, it must be taken into account that these are 19 data, some health, some biometric, which according to the Law on Personal Data Protection, fall into the category of sensitive personal data, and thus enjoy a higher degree of protection,” said Stojanovska.

The next remark is about the volume of mandatory personal data that needs to be entered to obtain the analysis. Without entering the first and last name, municipality, date of birth (day, month and year), gender and industry, the analysis cannot be performed. Hence, Stojanovska estimates that the year of birth (without day and month), gender, industry and data on previous health conditions are quite sufficient to obtain the analysis. And that the data on name and surname and municipality does not directly affect the determination of the potential risk of infection with Covid-19.

“The question also arises whether the entered data are stored and processed by the Macedonian Occupational Safety and Health Association and the Institute of Public Health for statistical analysis. If that is the case, the information about the municipality can be valid, but not mandatory, and can only be obtained if the person only decides to give it,” she said.

The general recommendation is to urgently publish a Calculator Privacy Policy which will provide information on whether the data is stored in an electronic database or only generates an analysis at the time of data entry and is available in real-time only for the one who enters the data. If the data is stored, it should be made public who owns that personal database, whether it is the Occupational Safety and Health Association, the Institute of Public Health or another legal entity. Furthermore, in addition to the purpose of personal information, are there other purposes for which personal data will be used (statistical analysis), and which, and what are the legitimate interests of that processing. Will the collected data be given for use to a third party, for what purpose and what is that third party? It is also necessary to determine a reasonable period of data storage, given that most of them are changeable and cannot be considered relevant in the long run.

“Given that the calculator is expected to assist employers in assessing the risk of Covid-19 infection of employees, any employer who uses it should also have an obligation to properly handle the data that they get from the calculator”, points out Stojanovska.