Kzenon - stock.adobe.com
Singapore’s TraceTogether contact-tracing app is the least intrusive in terms of privacy among similar apps in Southeast Asia, a study has found.
Conducted by the Data Protection Excellence Centre (Dpex), the learning and research arm of Straits Interactive, a data protection consultancy, the “privacy sweep” study analysed the app permissions required by six Android-based contact-tracing apps issued by governments in Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam.
Kevin Shepherdson, CEO of Straits interactive, said the privacy sweep was aimed at finding out how privacy-invasive these apps were and to address privacy and surveillance concerns of users in the Association of Southeast Asian Nations (ASEAN) region as more countries start to lift lockdown restrictions.
“We took into account where each app used privacy by design principles, in addition to scrutinising the privacy notices and the functionalities of each app against the permissions that it required,” he added.
These permissions include access to a smartphone’s camera, contacts, location, microphone, media files and other functions.
Dpex said, in many cases, privacy and data protection laws do not allow relevant personal data to be collected, used or disclosed unless the user gives explicit consent by “accepting” the request for permission to do so.
These rules also restrict smart apps from “excessive” use of permissions that are proportionate to the apps’ purposes and functions.
In conducting the study, Dpex engaged local reviewers with a qualification in data protection from the International Association of Privacy Professionals.
The reviewers determined if app permissions exceeded what would be expected based on the app’s functionality and whether the app explained to consumers why it wanted the personal data and what it planned to do with it.
In their review of TraceTogether, the reviewers found that the app’s privacy statement and accompanying documents explained clearly, in simple words, what it does, what type of personal data is collected and how it may be used or disclosed. The permissions sought by the app did not exceed its functionality and declared purposes.
While TraceTogether did not comply with all nine obligations under Singapore’s Personal Data Protection Act or all of the six processing principles under the General Data Protection Regulation, it was generally consistent with those obligations and principles.
Read more about data protection in ASEAN
- More governments in Asia are implementing data protection regimes, but challenges such as checkbox compliance and the lack of effective staff training remain.
- Thailand’s National Institute of Development Administration is offering a certification programme to get organisations ready for the country’s data protection regime.
- A large proportion of ASEAN businesses will be affected by Europe’s General Data Protection Regulation, but awareness of the new rules remains low, even in countries with existing data protection laws.
- Some Malaysian firms are not using data protection tools to the fullest potential, while others only think about data protection after a breach.
The few areas where it fell short tend to reflect its nature rather than an inadvertent or careless departure from an obligation or principle, Dpex noted.
Except for Singapore’s TraceTogether, most of the apps reviewed required excessive permissions based on the reviewer’s understanding of the purposes of the application.
Half of the apps in the study did not satisfactorily explain how personal data would be used or shared with the government agency if and when an individual is infected.
Vietnam’s Blue Zone used the least permissions to perform its contact-tracing functions, while Thailand’s MorChana required the most permissions to do so.