This data protection notice applies to the Tracing Ireland's Population (TIP) phone application designed to help aid the management of Covid-19 in Ireland. This phone application adheres to the European General Data Protection Regulation (GDPR) law on data protection and privacy. Under this regulation we collect information about you and your symptoms if unwell.
The information processed in the app is a combination of personal data, symptom data and anonymous data.
This information includes:
Information about your symptoms
Your Covid-19 test status
Details of any treatment you have received
Your current county and Eircode routing key
Whether you are a health worker
Name and location of usual doctor
Your mobile number is linked directly to you and is therefore your personal data. Your mobile number allows for you to receive a One Time Passcode (OTP) as a security measure. OTP is a unique code sent to you by text message. This ensures your submitted data is validated. Your mobile number will be encrypted and is not used for any other purpose. The symptom data does not reveal your identity.
Information collected includes:
Random pseudonymised device ID
The purpose of collecting this is twofold:
a) Keeping in touch with you about the app and its performance.
b) Sending you information about new versions of the app or similar apps we may have in the future.
This ID is encrypted via a 256-bit Advanced Encryption Standard (AES) in the cloud database.
As a consequence of how traffic passes across the Internet, your internet protocol (IP) address is also inevitably transferred to our servers. An IP address is assigned to you by your mobile phone or Wi-Fi service provider. Under the GDPR your IP address is regarded as your personal data. Once your submitted information is transferred from your device to TIP servers, your IP address is removed to ensure you are not identifiable.
If you are showing symptoms of Covid-19 according to HSE guidelines, you will be asked to provide the name of your registered general practitioner (GP). This information is used to inform GP's of current Covid-19 symptoms in their area. No individual is identifiable to the GP or TIP creators. GP's will simply receive high level statistical information e.g. the number of people in their area currently experiencing a high fever etc.
If you are showing symptoms of Covid-19 according to HSE guidelines, you will be asked to provide the phone numbers of any known close contacts you were with 48 hours before developing symptoms. By submitting this information, you agree for the above to be notified of having contact with an individual with potential Covid-19 symptoms. Your identity will remain anonymous. This process allows you to protect your community whilst maintaining your privacy.
Close contact information:
In adherence with article 14 of GDPR, TIP notifies the known close contacts that their personal data (phone number) has been acquired. Close contacts are given a link to this data protection notice which informs them that their phone number will remain in the TIP database for 20 days after initial submission. Close contacts are notified directly via a two-step SMS process. The SMS messages read:
'TIP is a non-profit organisation created to allow the Irish public to take control of Covid-19 contact tracing. Please visit our data protection notice for more information on your data rights. https://www.tracingirelandspopulation.com/dataprotectionnotice'
‘NOTICE: An individual currently experiencing strong Covid-19 symptoms has listed you as a known close contact. Please download the Tracing Ireland’s Population (TIP) phone application here to check if you are experiencing any symptoms. Please follow the HSE’s latest guidelines and stay safe.’
The retention period of 20 days allows for the known close contacts to inform TIP of any requests they may have regarding the initial submission of their data. All correspondence from TIP is done using an alphanumeric ID of ‘COVID19TIP’.
We process data to:
Better understand symptoms of Covid-19
Track the spread of Covid-19
Identify the exposure of individuals and their close contacts
Provide general practitioners with real time symptom data within their region
Identify localised Covid-19 clusters in order to avoid the requirement of future lockdowns
Help aid future research with universities
Our legal basis for processing it is that you consented to our doing so. Because of the tight regulatory requirements placed on us, we need your consent to process data about your health, which means that if you do not consent (or withdraw your consent), we cannot allow you to use the app.
If you wish us to stop processing your sensitive personal data, you may withdraw your consent at any time directly through the TIP application. Each user may directly flag the desire to remove their data through the app interface.
In line with article 15 of GDPR, the user will be required to submit in writing this request so as we may validate their identity. This would avoid the inadvertent deletion of valid data where a request was put through by another person who gains access to the phone/app. If valid, this removal of data will be granted. The request may be sent to When you withdraw your consent, we will delete all sensitive personal data we hold about you.
We use third parties to process some of your data on our behalf. When we allow them access to your data, we do not permit them to use it for their own purposes. We have in place with each processor, a contract that requires them only to process the data on our instructions and to take proper care in using it. They are not permitted to keep the data after our relationship with them has ended.
These processors include:
Amazon Web Services (AWS) provide cloud storage and cloud service for the data submitted by the user
Google Firebase notifies the end users about new app version releases through push notification. This helps maintain the app user’s privacy.
Twilio is the cloud messaging gateway company that sends text messages to close contacts.
The exact retention period of non-personal data has yet to be set. Aggregated and non-personal data about the spread of the virus is likely to be extremely valuable for researchers studying both this virus and understanding epidemic spread for the future. This data would be used only by university bodies. We are therefore, likely to retain this information for much longer, however this will be kept under review to ensure that it is not kept any longer than necessary. Personal data is removed 20 days after the users last activity.
Under the GDPR you have a number of important rights free of charge. In summary, those include rights to:
Be informed about the processing of your personal data;
Access your personal data;
Rectification of your personal data;
Erasure of your personal data;
Object to processing of your personal data;
Restrict processing of your personal data;
Rights in relation to automated decision making, including profiling.
You also have the right to make a complaint to the Data Protection Commission at any time in relation to any issues related to our processing of their personal data. The Data Protection Commission can be contacted at www.dataprotection.ie.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.
Data Protection Enquiries: firstname.lastname@example.org
Institutions we share anonymised data with:
Universities in Ireland