In recent days, the media has followed the possibility that the Costa Rican Social Security Fund (CCSS) might use the EDUS application (Single Digital Health Record) to identify people who were or have been in physical contact with individuals diagnosed with COVID-19. According to authorities, the tool could achieve this by having people with the EDUS app on their electronic devices keep their Bluetooth function enabled. In this way, location and contact information would be sent to the CCSS databases for follow-up, allowing for geolocation.
As a premise, we can consider that technology and data protection are compatible and that the initiative would indeed be very useful for preventing community spread in Costa Rica, which we have avoided thanks to health policies. However, the use of technology and tools like the EDUS application cannot overlook compliance with applicable data protection regulations, especially since we are dealing with the processing of health data and a possible geolocation.
The Law on the Protection of Individuals Against the Processing of Personal Data (Law No. 8968), which has been in force in Costa Rica since 2011, is a public order law that creates the right to informational self-determination applicable to all personal data databases, in accordance with Article 4. It also creates the obligation to have informed consent for companies that collect personal information, according to section 5 of that legal text.
Based on the above, and after the initial exercise of downloading and entering the EDUS tool, it is evident that it requests personal information such as name, address, number of people you live with, email, health center you belong to, date of birth, among others. Specifically for COVID-19 issues, the system asks questions related to COVID-19 symptoms.
All the data described above are personal data of different categories, in accordance with Article 9 of Law 8968, such as unrestricted access data, restricted access data, and sensitive data. However, the main purpose of the tool is to collect health data, which is characterized as sensitive data. All of them, and health data with greater rigor, require the informed consent of users for the processing of such data—consent that was not requested at the time the information was entered.
The Data Protection Law states in Article 5 that consent must be in writing, either physical or electronic. Likewise, the consent of each EDUS user must be express, precise, and unequivocal. Therefore, a specific section is required where, before entering personal data, the user is informed about the existence of a database, its purposes, recipients, the processing it will receive, the ARCO rights (access, rectification, cancellation, and opposition), and the person responsible for the database, at a minimum. As a consequence, privacy policies must be provided within the tool. It is not possible for an application like EDUS to apply a tacit consent simply by having downloaded the application from the Apple Store or Play Store, depending on the type of operating system.
To date, EDUS downloads exceed one million in Costa Rica, so the CCSS must always be in compliance with data protection regulations, both for its current use and for the possible use of geolocation for COVID-19 cases.
We cannot ignore that the CCSS, as a public health institution that obviously collects and processes patient data, must always request informed consent and comply with data protection regulations in their entirety, especially when dealing with health data. The CCSS, therefore, must always take into consideration the provisions of the Law on the Protection of Individuals Against the Processing of Personal Data and its regulations in all its processes, whether it be in patient care, the use of new tools, in bidding processes for the purchase of biomedical equipment, among others.