As Poslovni Dnevnik/Bernard Ivezic writes on the 17th of April, 2020, Andrija, the new government service, is the first government service for which a Privacy Policy has been published, which sets somewhat of a precedent.
Andrija.ai, the world’s first digital consultant to handle cases of suspected coronavirus infection, has decided to end the babbling of conspiracy theorists and has published its very own Privacy Policy.
For the past three days, all sorts of eyebrow-raising conspiracy theories about the new service have been circulating, claiming that through this service, the Croatian Government wants to ”spy on citizens” through artificial intelligence, that it wants to encourage citizens to disclose the health status of their household members, and more.
The government of course denied it, but now it has gone one step further in silencing conspiracy theorists.
Andrija is, as stated, the very first government service to have a Privacy Policy, that is, a legally binding document that defines how data is managed on the Andrija.ai service. The Croatian Government has not implemented any public-private partnership in this way before and therefore has not ever had to face the situation of having to publish a Privacy Policy for some of its services.
The system, we recall, was created owing to the collaboration of the Ministry of Health and four private companies. The Croatian AI startup Mindsmiths, in collaboration with an epidemiology team led by Branko Kolaric, created an expert system that manages Andrija. Croatia’s largest software company, Infobip, has linked Andrija and WhatsApp via its global communications platform to make it easily accessible to as many users as possible, and Neos, a partner of Oracle, has made sure Andrija has robust enough technology for it to be able to ”chat” to four million Croatian citizens.
Mislav Malenica, CEO of Mindsmiths and president of the CroAI’s Artificial Intelligence Association, says that it is now clear that the data processing manager, the one with whom people are engaging when using Andrija, is the Ministry of Health. He added that in addition to the ministry, companies that created and maintained the system themselves also have access to Andrija. These are the Croatian companies Mindsmiths and Neos.
“The executors who have access at the moment are Mindsmiths, which ensures that Andrija is working properly, and Neos, which prepares data for analysis at the Ministry of Health,” explained Malenica. He added that the most sensitive information Andrija collects is the user’s mobile number. However, this information is clarified for the sole purpose of the user being able to communicate with Andrija.
“In order for Andrija to respond, he has to send a message to a phone number. If the user doesn’t use Andrija for more than three months, the phone number will be deleted because it will be considered that the user no longer needs to use Andrija,” said Malenica.
He also clarified that Andrija doesn’t require information on the health status of the beneficiary or of the other members of their household, and it neither stores nor collects additional identifiers on the basis of which household members can be identified. Additionally, if a user voluntarily shares their location with Andrija, this information isn’t used in identifying the user, such as searching for his or her home address. Moreover, the point of this is, it follows from Andrija’s Privacy Policy, is that epidemiologists can evaluate in which area, such as Zagreb, Split or Lika, certain symptoms occur and how often they occur, as this may indicate to them in what part of Croatia there is a possibility that the development of a new focal point may occur.
Malenica explained that through communication, Andrija collects information such as: general household information, general household member information, a rough household location, personal opinions and the user’s personal opinions on their own state of health. This all happens on a voluntary basis. The narrower location is being obtained because analysis experts don’t require high precision; they do calculations at the municipal or regional level, thereby reducing the potential for abuse.
In addition, Andrija’s Privacy Policy clearly defines that users may request that their information be deleted.
If the user doesn’t make that request, after three months, the system deletes any identification data, such as phone numbers, and anonymises the data so that no further processing can result in any subsequent processing of the user’s identity. It is standard practice across a range of industries, and so far, this practice has proven to be completely safe for users. Thus, the data left by users is no longer personal data, but rather represents an anonymised data set, ie a database, on the state of Croatia at the time of the coronavirus, which, for example, will allow epidemiologists to analyse how to better manage a future pandemic.
Andrija is something special, because the state was not obliged to publish Privacy Policies up until the creation of this public-private partnership. Namely, the state has the power to legislate. This is, therefore, the first time that in a service offered by the state, citizens have the power to decide for themselves on their personal data.
Make sure to follow our dedicated section for more on coronavirus in Croatia.