There has been a lot of writing, backlash, concern and so on about the ‘automatic’ contact tracing apps. Whether it’s the Apple and Google initiative, Singapore’s Trace Together app, or the many other options. Most of these solutions are for smartphones. Most of the writing appears to assume smartphone use as well. And this paper by the Ada Lovelace Institute is absolutely fantastic.
However, many people don’t have smartphones. So these apps are, regardless of what your opinion of them are, useless when smartphones don’t exist. And yet, contact tracing still happens in these contexts. It’s much more manual. However, it too is ‘going digital’ where it can. If you have a feature phone – SMS and phone calls are used. If you don’t have a device, community health workers (CHWs) try to visit you and record details on their device.
Here are a few principles to consider, if you are going to use one of these non-smartphone digital ways of contact tracing:
- Prior to collecting ‘contact’ data, it should be clear with whom you will be sharing the data with, why you are, who will have access to their data, and what they are doing with the data. Communicate this clearly to the ‘contact’ before collecting their data.
- Make it Voluntary – when interacting with the person who has been in recent contact with a known infected person, explain COVID, explain what data you need, why you need it, how you will use it, with whom you will share it, and if it will be deleted. IF agree, proceed, if not recommend actions, symptoms, and leave.
- Practice Data Minimisation – determine the absolute minimum amount of data you need to collect to monitor the ‘contact’. I assume this is name, means of contact (phone number or CHW visit), and then whatever health symptoms you are monitoring. In this monitoring stage, I see no reason to collect age, gender, health conditions, etc. unless it impacts the type of symptoms to monitor. The least amount of data to collect is the best practice.
- Make Deletion Mandatory and Automatic – after the known infectious period over (~15 days) then ensure that whatever digital tool you are using to track the ‘contact’ automatically deletes all data (and associated data) from all systems. And no, anonymising the data is NOT good enough.
- Being included in Aggregate Datasets should be Opt in – in some situations there can be benefits to being able to study or see aggregate datasets. However, give the ‘contact’ a choice about having her/his data included in this. If agreed, all data should be anonymised.
- The storage of the ‘contact’ data should be local and decentralised. The primary purpose of contact tracing is to monitor if the ‘contact’ develops COVID symptoms.
- Have an Exit Strategy/Sunset clause before you begin. Be clear how long will you do contact tracing, what broader triggers you will monitor to determine when you will stop. Don’t be general (i.e. “we will do this until it is no longer helpful…“). Be very SPECIFIC.
- Establish a small group or ‘board‘ to oversee what data is collected, who has access, with whom it is shared, when it is deleted, and so on. This board should be independent of the project team and ideally include an external person. And should have ‘teeth’ so it can hold the project team accountable. This board should have the authority to decide whether or not to share data with new actors, to delete datasets, and to determine when to ‘sunset’ the contact tracing. They also should make their deliberations transparent and communicate widely.
Additionally, the Ada Lovelace piece referenced above has some great policy and legislative asks that should be happening as well.