Apple should be breathing a little easier today. It appears that the company has allayed the fears of the Senate Finance Committee -- the group that sets national health policy -- regarding the committee’s concerns over the tech giant’s COVID-19-related website and app.
In Apple’s original announcement, it underlined that it will collect "some information" to help improve the site, but it stumbled by not identifying exactly what that information would include.
That faux pas caught the Committee’s eye, and when it started poring over Apple’s announcement, more questions came to light. To get those answers, it spared no time in going straight to the top of Apple’s org chart.
“While we acknowledge Apple’s statements regarding user privacy and that the questionnaire tools ‘do not require a sign-in or association with a user’s Apple ID, and users’ individual responses will not be sent to Apple or any government organization,’ we are nonetheless concerned for the safety and security of Americans’ private health data,” Sens. Menendez, Blumenthal, Harris and Booker wrote to Apple’s CEO, Tim Cook.
Concerns and answers
Triggering the Senators’ concerns were several things, including:
Is Apple’s screening site and app governed under the terms of Health Insurance Portability and Accountability Act (HIPAA)?
What personal data is Apple going to retain?
Will Apple promise that it will not share or sell any of the data gathered?
What cybersecurity safeguards does Apple have to secure the personal data?
Will the website be accessible to those with disabilities?
As a quick background, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) supervises the stream of healthcare information and guarantees how personally identifiable information is maintained and shared.
In Apple senior government affairs director Timothy Powderly’s response to the Senate, he stated that the company’s tools are not covered by the health privacy law HIPAA -- specifically the governance of HIPAA regarding when a company can disclose data to a third party. Powderly went on to say that there aren’t any third parties involved in collecting the information, since “data (is) entered into the website and app directly by users.”
Retention of personal data
Reminding the Committee that it does not currently collect any information entered into the website and app by individuals, Apple responded that its COVID-19 resources are no exception.
“Guided by this principle, Apple currently collects only the information necessary to support the operation of the COVID-19 website and app, such as users’ usage of the tool and app; this information does not include information entered by individuals,” wrote Powderly.
“Apple only retains this information for so long as is necessary to support the operation of the COVID-19 website and app. Information no longer needed is deleted or rendered permanently unrecoverable in accordance with industry standards.”
Will Apple commit to refraining from sharing or selling the data collected on the website and app to third parties?
There was no pussyfooting from Apple here.
“Yes, no data collected from either the website or app will ever be sold to third parties,” Powderly said.
How Apple will protect the user data
Apple’s answer was a little technical, but its bottom line response was that the company has developed layers of “technical and administrative safeguards” to protect data as it’s being transported. It has also restricted access to that data to authorized personnel only.
Accessibility of the website to those with disabilities
Again, the answer was another straightforward “yes” from Powderly.
“Apple’s COVID-19 app and website support features such as Apple’s VoiceOver technology, a screen reader which describes exactly what’s happening on the screen of an Apple device so that individuals can navigate just by listening, as well as Switch Control and Voice Control, which support individuals with physical motor limitations to use devices without touch,” he wrote.