1. Who has provided you with this App?
The COVID Alert Malta App (the “App”) is being provided by the Superintendent of Public Health who is also the Data Controller. Under the data protection law, the Data Controller is responsible for the processing of the App users’ data. The Data Controller may be contacted at:
Department for Health Regulation,
Office of the Superintendent of Public Health,
St. Luke’s Hospital, Outpatients Block Level 1,
St. Luke’s Square
Pietà PTA 1010
The Data Protection Officer can be contacted on the following e-mails addresses: email@example.com
2. Is using the App voluntary?
Using the App is entirely voluntary. It is your decision alone whether and how you use the App.
To withdraw your consent to the exposure logging feature, you can disable the feature using the toggle switch in the App or delete the App. If you decide to use the exposure logging feature again, you can toggle the feature back on or reinstall the App.
Individuals who decide not to or cannot use the App will not suffer from any disadvantage.
3. On what legal basis is your data processed?
The processing of personal data is governed by data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and Data Protection Act (Cap 586 in the Laws of Malta). This app is also based on Legal Notice 379 of 2020.
The fact that a contact tracing application is used on a voluntary basis does not mean that the most appropriate legal basis for processing under EU Data Protection law is consent.
While use of the App will occur on a voluntary basis, the most appropriate legal basis for processing the information is not consent. When EU public authorities provide a service based on a mandate assigned by and in line with requirements laid down by law, the most relevant legal basis for the processing, with regarding to personal data, is the necessity for the performance of a task in the public interest, i.e. Art. 6(1)(e) GDPR.
The GDPR lays down rules regarding lawfulness, proportionality and necessity. These provisions stipulate that the processing of personal data without the data subject’s consent is prohibited unless ‘necessary’ for certain specified purposes.
In the present case, Articles 6(1)(e) and 9(2)(i) are the most appropriate and protective legal bases for processing the personal, health data. The basis for the processing under Article 9(2)(i) indicates that the processing of ‘special categories of personal data’ like health data may take place without the consent of the data subject, provided such processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, and on the basis of a law which ‘provides for suitable and specific measures to safeguard the rights and freedoms of the data subject’.
The data is used solely for the purpose of exposure notification/contact tracing.
The data collected by or from the App will not be used for any other purpose.
The exclusive purpose of the App, and the associated data processing, is to track proximity events between user devices (without any other location information) in order to facilitate quick and efficient identification of possible contacts of infected persons. Users whose devices have been in significant proximity of an infected person, are notified accordingly.
5. Who is the App aimed at?
The App is aimed at people who are citizens, residents and/or visitors in Malta, and at least thirteen years of age (as provided by S.L. 586.11 in the Laws of Malta).
6. What personal data is collected and processed?
The entire App system is designed to ensure that the App user is as far as possible not identifiable. The processing of personal data is kept to a minimum and designed to maintain privacy through anonymisation and pseudonymisation. Data cannot be traced back by technical means to persons, locations or devices. What is collected is not location data, but merely encrypted data concerning proximity (contact) events. This is protected by technical means against misuse. The Superintendent of Public Health cannot draw any conclusions concerning App users. The App protects users’ data in such a way that it cannot be connected to specific persons. Connection to a specific person cannot, however, be ruled out altogether. There is a certain possibility that, when someone is notified of a possible exposure, their recollection of social contacts over recent days may allow them to deduce the identity of the infected individual. The notification contains the information that the user may potentially have been exposed to the coronavirus, the date on which this was last the case, and the behavioural recommendations of the Superintendent of Public Health. As a result of using the App, persons may thus potentially be identified.
The App system has two components:
- An exposure notification data management system, comprising software installed by users on their mobile phones and a back end (“EN back end”).
- An authorisation code management system, comprising a web-based front end and a back end.
Both back ends, as central servers, are under the control of the Superintendent of Public Health and are operated technically by the Malta Information Technology Agency (MITA). The code management front ends run on the devices of the health professionals authorised to generate the authorisation codes.
The data stored locally on a user’s device consists of the following:
- The Temporary Exposure Keys (TEKs) – The user device generates a daily random TEK using a cryptographic random number generator. This TEK is then used to generate the Rotating Proximity Identifiers;
- Rotating Proximity Identifiers (RPIs) – These are privacy-preserving identifiers generated every 10 minutes that are broadcast via Bluetooth; and
- Coarse timestamps.
In the event of an infection being confirmed in a user, the following data is recorded in the code management system:
- The authorisation code;
- The date on which the first symptoms appeared, or – if the infected individual is asymptomatic – the date of testing (onset date);
- The time at which this data is to be destroyed; and
- The transmission risk level assigned by the Superintendent of Public Health to the case., which is used to assess the risk of infection of other users if they come in contact with the COVID-positive individual.
The EN back end contains a list with the following data:
- The secret keys (TEKs) of infected users which were current in the period during which infection of other persons could have occurred (i.e. from onset date onwards up to a maximum of 14 days); and
- The date of each key.
After coming into proximity (2 metres or less) with another mobile phone on which the App is running, the App stores the following data:
- The Rotating Proximity Identifiers (RPIs) broadcast by the other device;
- Proximity (the Bluetooth low energy signal strength);
- Approximate time window; and
- The estimated duration of proximity.
When a person is identified to be COVID-positive, further information is provided and kept by the health authorities. This information is distinct from the COVID exposure notification/contact tracing system. Health data related to COVID tests is not part of the App and its functions.
Health data is any data containing information about the health of a particular individual.
- Data Transfer
The App uses an interface to the operating system of the user’s mobile phone, which entails the processing of data by Apple or Google devices and relevant technology. The functionality used to record encounters with other users is called “COVID-19 Exposure Notifications” on Android smartphones and “COVID-19 Exposure Logging” on iPhones. This exposure logging functionality is what keeps track of other devices that come in close proximity to your device, and is not part of the App, but an integral part of your smartphone’s operating system. This means that the exposure logging functionality is provided to the user by Apple (iPhones) or Google (Android smartphones) and is subject to these companies’ respective privacy policies. The Superintendent of Public Health has no influence on data processing performed by either the operating system (whether in connection with exposure logging or otherwise), or any other mobile applications installed on the user devices.
- Data Security
To protect data against unauthorised access, loss, or misuse, the Superintendent of Public Health, in close collaboration with its internal and external hosting providers and other IT service providers, takes appropriate security measures of a technical nature (e.g. encryption, pseudonymisation, logging, access controls and restrictions, data backup, IT and network security solutions) and organisational nature (e.g. staff directives, confidentiality agreements, inspections).
- When will data be deleted?
The data will be deleted as soon as it is no longer required for the notification of users. Specifically, it will be permanently erased as follows:
- data in the exposure notification data management system on mobile phone: 14 days after capture;
- data in the exposure notification data management system back end: 14 days after upload;
- backup will be made for the data on the data server and will cover 7 days. Therefore, the total data retention period on the data server will be 14 days + 7 days backup.
- Is the data transferred to a third county?
- Your rights under data protection law
By means of innovative cryptographic methods and decentralised data processing, the App is designed to ensure that, as far as possible, no information relating to identified or identifiable persons (personal data) is present. For this reason, the Superintendent of Public Health cannot:
(i) identify the individuals to which the data stored on the back end server relates, and thus cannot carry out requests for erasure, or
(ii) access, nor erase, the data that is stored on the users’ devices. It is not possible for the Superintendent of Public Health, for example, to provide information on the proximity events logged for a specific person or to correct this data. The Superintendent of Public Health cannot inspect this data, as it is stored only on the mobile phones of the respective user.
The system has been designed so that only a user’s device processes or stores any identifiable personal data about that user. No entities are involved in the processing of any identifiable user personal data.
Accordingly, the system is neutral from the point of view of individuals: in the absence of personal data being stored on the backend server or the device of other users, individuals’ rights pursuant to data protection laws are not restricted (nor are they enabled).
Users who want to stop participating in the system may at any time stop using their user App or delete it. All data already uploaded to the back end server are erased at the end of the retention period (14 days + 7 days backup). Due to the decentralised design, the back end server only has a limited control on the data. In particular, it cannot:
- identify the individuals to which the data stored on the backend server relates (thus cannot carry out requests for deletion) or
- access, nor erase, the data that is stored on the users’ devices. Providing the back end server with additional control over the data processed via the system would ultimately be detrimental to the individuals.
You also have the following data protection rights:
- the right to contact the data protection officer and raise your concerns (Article 38(4) of the GDPR); and
- the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) who can be contacted at:
Address: Level 2, Airways House,
Sliema SLM 1549
Last amended: 1st October 2020