By Wahab Hamou-Lhadj, PhD | April 23, 2020
With so many countries planning to lift the lockdown and re-launch the economy, the risks of spreading the coronavirus (COVID-19) becomes higher unless a vaccine is found and deployed, a task that may take several months according to experts.
Social guidelines such as distancing, frequent hand washing, and the wear of masks should remain in effect, but these actions alone may not be sufficient to slow down the spread of the virus. Public health authorities must continue their effort in conducting rigorous contact tracing and testing.
Contact tracing has traditionally been done manually, a process that is time-consuming, limiting its scalability for a large population. Contact tracing apps have emerged as a possible solution that is considered (or used) by some countries to supplement (and not to replace) manual contact tracing efforts. Simply put, contact tracing apps use proximity data to enable health authorities to trace individuals who may have been in close contact with someone tested positive for the virus and send them instructions on how to proceed.
In my opinion, for these apps to gain wide acceptance, they should (a) satisfy a clear set of requirements and developed using best practices, (b) comply with the applicable privacy laws and regulations, and (c) operate within an open and transparent governance framework.
Contact tracing apps are before all software tools and their development should be based on a clear set of requirements and the adoption of best software development practices. App developers should work closely with health authority experts to understand the functional and non-functional (performance, scalability, security, etc.) requirements that an app should support.
To this end, I find the recently issued European Union requirement guidelines for contact tracing app development quite helpful. I summarize some of the key points in what follows (the complete document can be downloaded here):
Privacy-preservation goes beyond technology. App developers should be aware of the data privacy protection laws applicable in their respective countries and regions. These laws were created to protect the right to privacy, which is a fundamental human right.
For example, the EU General Data Protection Regulation (GDPR) that went into effect in 2018 regulates the collection, use, and disclosure of personal data of EU citizens by enforcing a set of principles that ensure "fairness and transparency" in processing of private data, and that organizations should only collect the data needed for a given purpose. In addition, the data must de deleted once no longer needed for the purpose it was collected. The complete list of GDPR principles can be found here.
In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates how “private companies across Canada collect, use or disclose personal data”. Similar laws to PIPEDA exist at the provincial level such as the Personal Health Information Protection Act of Ontario, Québec’s An Act Respecting the Protection of Personal Information in the Private Sector, etc.
Recently, the Office of Privacy Commissioner (OPC) of Canada issued a framework to help government institutions evaluate the impact on privacy for initiatives, such as the development of contact tracing apps, which would rely on the collection and processing of personal information to combat COVID-19.
OPC framework states that government institutions must operate within a legal framework by respecting the applicable data privacy laws (e.g., PIPEDA or other provincial laws) including any special provisions under emergency laws, and that any necessary new measures that may contravene actual laws must be based on scientific evidence and must be proportionate. Personal information must be used to combat the pandemic and not for any other purpose. Government institutions should also be mindful of the impact that the data may have on vulnerable populations to prevent discrimination and stigmatization. The complete list of guidelines can be found here.
In short, I believe that it is essential for contact tracing apps to comply with the applicable data privacy and protection laws and guidelines to preserve people's right to privacy, which can lead to increased trust in the use of these apps.
Countries should consider putting in place clear mechanisms to govern and monitor the use of contact tracing apps. The EU guidelines state that all apps must be approved by the competent health authorities, which are also the ones accountable for these apps. The installation of an app is on a voluntary basis and for situations where a person should provide identifiable personal information, an opt-in model is adopted.
I also believe that it is critical to establish monitoring processes to ensure that these apps work as intended and to allow public authorities take the necessary actions to address potential issues. The EU guidelines go further by suggesting that Member States “should develop a set of KPIs to assess/reflect the effectiveness of the apps in supporting contact tracing.” Various monitoring techniques have been proposed ranging from technical peer-reviews to thorough audits of the apps with respect to, among other things, privacy and security.
We should also keep in mind that the effectiveness of these apps heavily depends on user uptake and behaviour. Policy makers should consider public awareness campaigns to promote the appropriate use of these apps, while stressing the fact that people should not overly rely on these apps by relaxing other social measures. Contact tracing apps are just one tool, among others, as part of a government strategy to gradually lift the lockdown.
Furthermore, we must not forget groups of population who cannot use these apps (e.g., children, people with no smartphones). This is another reason why manual tracing must remain in effect and active.
In summary, it is difficult to assess the effectiveness of contact tracing apps in helping to combat this deadly disease, but I believe that the chances are higher if these apps are developed following a clear set of requirements established by the competent health authorities in charge of the crisis, adopt best software practices, and comply with data privacy laws and regulations. Governments should also put governance, monitoring and accountability mechanisms to ensure the appropriate and effective use of these apps and to prevent potential oversight and problems.