Responsible Data Use Playbook for Digital Contact Tracing

Introduction

COVID-19 is an unprecedented public health crisis. As the disease continues to spread through communities across the U.S. and abroad, information about the illness continues to evolve. To slow the spread, public health officials are turning to contact tracing as a means to track cases, identify sources of transmission, and inform people who may have been exposed to take precautions that can prevent further transmission.

Manual contact tracing is a scientifically established method that can help understand the spread of communicable diseases. For contact tracing to be most effective, people must share sensitive personal information regarding their whereabouts and the people with whom they have been in close proximity. This information allows contact tracing professionals to trace or map their locations and connect with those with whom they have been in close contact. One unique feature of the COVID-19 era is the way digital technology is facilitating these processes.

Digital contact tracing technology (DCTT) has the potential to significantly reduce the spread of COVID-19 and assist with reopening efforts. Technologies such as smartphones, mobile device applications (apps), and the network of data transfer protocols (e.g., APIs) have been pulled together to produce digital contact tracing technologies. Contact tracing apps track an individual’s exposure to COVID-19 and notify the individual if they encounter another app user who has tested positive for the virus, or who has self-reported as positive. These apps typically track users through either geolocation data or Bluetooth proximity data, or both.

Apps relying on geolocation data use GPS, WiFi, or cell phone towers to track users’ locations, while Bluetooth apps check for other nearby devices using the app and exchange a unique, often rotating, token with the other device.1 The app later searches a database of tokens registered to users who have self-reported testing positive for COVID-19 to determine if the user was exposed to the virus.2

Apps using geolocation data are considered more privacy invasive because they rely on tracking the user’s location to determine proximity to other users. Bluetooth proximity apps only collect proximity data but rely on constant broadcast from a Bluetooth device, and may be less accurate than apps relying on location data.3 This is a particular problem for centralized Bluetooth-based apps, which are not able to make use of the Google-Apple Exposure Notification API for decentralized exposure notification apps.

The design and use of these apps create privacy risks and raise ethical questions. MIT Technology Review assessed apps developed by 25 countries, while the Internet Digital Accountability Council reviewed 108 apps across 41 countries. Many of these apps failed to minimize their collection efforts and did not provide guarantees for destroying the data after a set period. Some countries’ apps also failed to place limits on the use of collected data and many of the apps reviewed did not provide transparency around their policies or design.4 By taking these concerns into account, organizations that develop or use contact tracing apps can protect both health and privacy, and increase trust in contact tracing apps and other digital tools.

While health behavior changes at the population level, such as social distancing, hand washing, and wearing face coverings, are the current best approach to containing the spread of COVID-19, both analog and digital contact tracing are important elements of a comprehensive approach to containing the spread of this viral disease. Nevertheless, DCTT raises significant ethical and privacy concerns that should be addressed through design and policy.

Public health authorities, application developers, and users of DCTT need better information on how to best preserve privacy and ensure ethical use of contact tracing data, so they can better scale contact tracing initiatives and reduce the spread of COVID-19.

BrightHive and the Future of Privacy Forum teamed up to kick off this privacy playbook to assist the coalitions of professionals invested in development and deployment of trusted DCTT. The playbook provides a series of actionable steps that purposefully address the privacy concerns of DCTT and support the development of ethical and responsible digital contact tracing protocols.

In particular, this playbook has been developed with the following types of scenarios, or use cases, in mind: 1) easing tension between application providers, public health officials, and government authorities; 2) supporting “opt-in” models for individuals to share health and location data; 3) supporting employers that are turning to internal contact tracing when their workplaces reopen.

This playbook is organized into two categories: Foundational and organizational plays, and technical and operational plays. Foundational and organizational plays create a strong, diverse coalition with a unified goal and set of values, aid in the administration of DCTT initiatives, and ensure that the coalition adheres to its shared values and gains the public’s trust. These plays are geared toward leadership, policy, and partnership roles in an initiative.

The technical and operational plays support implementing the DCTT initiative in a way that is consistent with other plays, the coalition’s values, and users’ privacy rights. These plays are geared toward technical, project management, and day-to-day operational roles in the initiative.

While plays are geared toward different roles, BrightHive and FPF advise collaborating across team and function through the lifecycle of the DCTT initiative.

Take the Next Step

Resources

This playbook was informed by the following resources: insights and recommendations from FPF workshops, publications & testimony; Georgetown Beeck Center Data Governance Handbook; Johns Hopkins Digital Contact Tracing book; Law.MIT principles and related efforts; STAT news articles and commentary; and other data protection COVID-19 guidance/resources.

Acknowledgements

BrightHive would like to thank Maithri Vangala, Natalie Ortiz, Samantha Levy, Hana Passen, Brian Lim, Autumn Felty, Joanna Tess, Kelly Dolan, Natalie Evans Harris, and Matt Gee for their expertise and contributions to the development of this playbook.

Future of Privacy Forum would like to thank Kelsey Finch, Sara Jordan, RacheleHendricks-Sturrup, Pollyanna Sanderson, Brenda Leong, and Katelyn Ringrose for theirexpertise and contributions to the development of this playbook.

Footnotes

  1. Tokens are a unique identifier tied to a user’s phone. Apps that make use of rotating tokens change the token identified with a user’s phone on a regular basis. This helps protect user privacy by essentially dividing a user’s data across multiple identities. 

  2. Andy Greenberg. “How Apple and Google Are Enabling Covid-19 Contact-Tracing.” Wired. April 10, 2020. https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/. 

  3. Sam Biddle. “The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing.” The Intercept. May 5, 2020. https://theintercept.com/2020/05/05/coronavirus-bluetooth-contact-tracing/ 

  4. Patrick Howell O’Neill, Tate Ryan-Mosley, & Bobbie Johnson. “A flood of coronavirus apps are tracking us. Now it’s time to keep track of them.” MIT Technology Review. May 7, 2020. 



Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

PLAY 1: FOUNDATIONAL AND ORGANIZATIONAL

Follow the lead of public health experts and use evidence-based solutions

It is essential that members of a DCTT initiative coalition work with medical and public health partners to understand their data needs. Decisions about which data, analytic, and technological models to pursue should be based on medical and public health partners’ needs, their estimates of efficacy, and should be grounded in the best available evidence.

Checklist

  1. Ensure DCTT uses and limitations have been taken into account, documented, and mitigated where appropriate, before implementation.
  2. Continuously monitor the state of DCTT performance across various contexts, including monitoring for new research or evidence, alternative technologies, or unintended consequences (such as negative impacts on public health goals or unfair advantages or disadvantages for certain communities).
  3. Commit to limiting the scope of the DCTT initiative according to the advice of public health experts, including policies for dissolution of activities that: a) prove to be poorly validated or ineffective by epidemiologist or expert assessment for controlling the pandemic or infection chains, or b) exceed the scope of its intended public health purpose to reduce the transmission of COVID-19.

Key Questions

PLAY 2: FOUNDATIONAL AND ORGANIZATIONAL

Decision-makers should be guided by necessity, proportionality, and purpose limitations

Measures taken in response to pandemics should be necessary and proportionate, to ensure that responses will be beneficial to solving the crisis without undue infringement on individual privacy and civil rights. Any personal information collected and used to control the harmful effects and spread of a pandemic should be strictly time-limited and confined to a specific, well-defined public health purpose. Historical evidence suggests that it is difficult to discontinue practices initiated during an emergency, and that proactive measures are required to avoid “mission creep.” Coalitions seeking to use personal information to control the harmful effects and spread of a pandemic should ask themselves whether or not a specific measure constitutes a necessary, appropriate, and proportionate action within a democratic society.

Checklist

  1. Establish an exit strategy up front to protect against continued “emergency practices” after the end of the public health crisis.
  2. Proactively identify and mitigate risks of mission creep and new or unanticipated uses of personal information.
  3. Deploy DCTT in the least intrusive way and handle personal information at the lowest level of identifiability and scale necessary to accomplish stated public health goals.
  4. Clearly articulate the specific risks and benefits to individuals and the public that are created by the DCTT.
  5. Collect only the personal information strictly necessary to accomplish stated public health goals and nothing more.

Key Questions

PLAY 3: FOUNDATIONAL AND ORGANIZATIONAL

Work with established partners who have demonstrated experience with responsible data sharing

Trusted partners with the organizational and technical capacity to support DCTTs are essential. Some organizations, such as those with established ‘Data for Good’ programs, may already have experience sharing data in privacy-protecting ways with university, NGO, or government partners, including public health authorities. In addition, university-based programs and services, including research centers with experience in data ethics, might streamline the establishment of trusted data sharing arrangements between public agencies, companies developing and/or providing DCTT, and other institutions that will need to share data with one another to coordinate contact tracing.

Checklist

  1. Carefully select partners and service providers based on their experience safeguarding personal health information and established reputation in the health sector.
  2. Have all partners and service providers commit to accountability and transparency, and provide timely communication to communities and stakeholders.
  3. Agree to terms and data uses with partners and service providers in advance, before any personal data is collected.
  4. Develop guidelines to define roles and responsibilities for partners and service providers in the DCTT initiative, as applicable.

Key Questions

PLAY 4: FOUNDATIONAL AND ORGANIZATIONAL

Develop a data governance structure

At the outset of a DCT development project, establish a governance committee including partners, experts, data users, and DCTT users who will guide development of processes and procedures for collection, use, and destruction of data. This group should include a diverse array of individuals representing state and local public health agencies, privacy advocates, organizations that have the legitimacy to represent the individuals who are being asked to share their contact data, and other types of community advocacy organizations that want to support public health efforts while being responsive to ethical concerns. Do not wait until the technology solution is determined or implemented to establish and convene this committee.

Checklist

  1. Create a steering committee that represents the array of data stakeholders in the DCTT initiative, including those that provide and use contact tracing data.
  2. Establish a charter or similar covenant that clearly defines roles and responsibilities, and enumerates the privacy and ethical principles that guide the committee’s work and decisions about data use.
  3. Define the boundaries of the digital contact tracing initiative to prevent mission creep and deter potential secondary uses of personal data that are tangential to the immediate goals and/or use cases that do not align with the values and ethical principles articulated by the steering committee.
  4. Use the committee to inform the development of consent and data sharing protocols and processes.

Key Questions

PLAY 5: FOUNDATIONAL AND ORGANIZATIONAL

Go the extra mile to seek public trust

While transparency on its own is insufficient to protect individual privacy, respect for individual autonomy requires that the public understand how personal data is used and protected from misuse during a health crisis. Certain public health measures, including DCTT, rely on individuals’ willingness to provide their information in service of a larger goal. In support of such measures, governments, public health authorities, and corporate leaders seeking to share data should take extra steps to engage the public and be transparent about how personal data is used, by whom, and for what specific purposes.

Checklist

  1. Give the public complete and easy-to-understand descriptions of how personal information is handled and safeguarded.
  2. Clearly and publicly identify any government authorities, companies, institutions, or other entities that handle personal information collected as part of a DCTT initiative. Make available, upon reasonable request, the roles or officials involved in the initiative.
  3. Provide a clear legal basis for the collection of personal information as appropriate.
  4. Describe how the use of personal information will be limited, including prohibited uses and users.
  5. Regularly update the public about how effective the DCTT initiative is, the extent to which public health goals are achieved, and highlight any unintended consequences observed.
  6. Require valid legal process, such as a court order, for law enforcement or other government officials access to centralized DCTT user data, and publish regular transparency reports documenting such requests.

Key Questions

PLAY 6: FOUNDATIONAL AND ORGANIZATIONAL

Respect context

Meaningful and inclusive public engagement is essential to building health tools and analytics that reflect generally-held collective values, including privacy, equity, efficiency, community health, and more. If deployed un-critically, digital health technologies risk exacerbating existing societal inequalities, including racial, socioeconomic, and digital divides. Coalitions that seek to deploy a DCTT iniatitive should recognize and address such concerns, and ensure that these technologies do not subject communities to additional discrimination or unfairness.

Checklist

  1. Create opportunities for inclusive and meaningful public engagement at every stage in the project development lifecycle, and use what is learned during those engagements to design and implement initiatives that align with and reflect the community’s values.
  2. Identify and address barriers that vulnerable or minority communities face in accessing digital tools and resources, including limited access to health care or digital services, and work to rectify them.
  3. Deploy DCTT as part of a broader strategy that ensures individuals without access to digital technologies or services are not left behind, and that does not reinforce existing biases or unfair disadvantages across communities.
  4. Recognize and account for the diversity of values held by individual members of society, as well as differing risk tolerances and privacy preferences.

Key Questions

PLAY 7: FOUNDATIONAL AND ORGANIZATIONAL

Individual data sharing must be voluntary

Governments should not require individuals to share personal health information or mandate the use of digital contact training technologies. Any incentives provided to encourage the adoption of such technologies must not be coercive, but rather support their equitable and voluntary use.

Checklist

  1. Get affirmative, informed consent from individuals before collecting any personal information and before making any material changes to how personal information is handled.
  2. Develop a consent flow that is appropriate to the situation and individual.
  3. Provide individuals or their legally authorized representatives with a way to withdraw their consent.
  4. Do not provide incentives that are coercive or would encourage inequitable outcomes.
  5. Do not bundle consent to DCTT with other functionalities.

Key Questions

PLAY 8: FOUNDATIONAL AND ORGANIZATIONAL

Design accessible features

In a public health crisis, the reliability and representativeness of DCTT information is vitally important. However, digital technologies and services are not always designed in ways that are accessible to individuals with disabilities and may fail to adequately record their experiences. The consequences of this sort of biased or inaccurate data can be lasting, leading to poor or inefficient decision-making, unethical or illegal data uses, or discriminatory outcomes. DCTT initiatives and features should be designed in ways that are accessible to all.

Checklist

  1. Design all DCTT initiative services to be fully accessible and based on the latest World Wide Web Consortium (W3C) Web Accessibility Initiative (WAI) standards.
  2. Support interoperability with the widest array of accessibility functions on major mobile devices possible.
  3. Explicitly recognize and rectify any remaining accessibility gaps that may limit persons with disabilities from participating in the DCTT initiative, to the extent possible.

Key Questions

PLAY 9: FOUNDATIONAL AND ORGANIZATIONAL

Hold decision-makers accountable

In order to maintain public trust and legitimacy, oversight and accountability mechanisms must be clear and functional at every stage in the process. Systems used to support a DCTT initiative must be continuously maintained and monitored to ensure that they are effective, that they are not causing harm, and that they are not imposing disparate impacts across communities. It is also essential that data protections be enforced, and that organizations create mechanisms for individuals and experts to raise concerns and ask questions.

Checklist

  1. Put public authorities in the driver’s seat, and ensure that leadership of the DCTT initiative includes public officials who are accountable to the public through appropriate electoral or appointment mechanisms.
  2. Provide individuals and diverse communities with meaningful opportunities to contribute to the design and oversight of the DCTT initiative.
  3. Designate a senior leader to be responsible for day-to-day privacy and data protection activities.
  4. Conduct regular reviews and audits of data-handling procedures to ensure that personal information is being used and safeguarded as promised.
  5. Establish mechanisms to escalate serious privacy or security concerns to initiative leaders, such as the steering committee.
  6. Create a mechanism for external researchers and experts to report privacy or security vulnerabilities.
  7. Create accessible public platforms for individuals to ask general and technical questions, file complaints, learn more, and contribute to the DCTT initiative.

Key Questions

PLAY 10: TECHNICAL AND OPERATIONAL

Keep systems secure

Centralized repositories of data can elevate privacy and security risks and attract unauthorized attempts to access or use personal information. DCTT initiatives must keep data secure against both internal and external threats. Robust technical controls such as encryption and access limitations, along with regular security audits and vulnerability tests, are essential safeguards.

Checklist

  1. Develop and document a comprehensive data security program that ensures DCTT data is protected from unauthorized access or use at every point in its lifecycle, from collection to destruction or storage, including backups.
  2. Proactively monitor and test the DCTT initiative’s systems for security vulnerabilities.
  3. Limit access to personal information through technical, legal, and organizational controls.
  4. Monitor and log all access to and handling of personal information, including by partners and service providers.
  5. Create common security protocols for each unit when federated data architectures are used.
  6. Encrypt personal data in transit and at rest, to the extent possible, using proven cryptographic techniques.

Key Questions

PLAY 11: TECHNICAL AND OPERATIONAL

Support dynamic and interoperable systems

Because public health emergencies involving communicable diseases are quickly evolving, coalitions supporting DCTT initiatives must ensure that the data produced is equally dynamic. Initiatives and the data and systems they rely on must be able to adapt to changing medical, legal, social, and technical factors. Data collected in response to a crisis such as a pandemic disease is typically needed by multiple types of organizations in numerous jurisdictions, and interoperability between digital systems is essential to ensuring collected information is able to serve its intended purpose.

Checklist

  1. Communicate with partners and service providers to design DCTT systems’ data structures for the greatest extent of interoperability possible.
  2. Continuously monitor and evaluate whether the DCTT’s technical design is appropriate and responsive to the current public health situation.
  3. Embed privacy by design principles across the lifecycle of DCTT.
  4. Follow or establish common standards for data protection, preservation, and quality among the initiative’s partners and service providers.
  5. Agree on a common protocol and compatible data structures to ensure minimum necessary exchange and processing of data.

Key Questions

PLAY 12: TECHNICAL AND OPERATIONAL

Conduct privacy risk assessments

When responsible organizations identify new ways to collect or use personal data, they utilize privacy impact assessments (PIAs) to systematically identify and address potential privacy issues. Given the volume and sensitivity of personal information required for effective pandemic response, including information related to health status, location and mobility, and employment, DCTT initiatives must proactively identify, document, and mitigate potential privacy risks. Best practices, frameworks, and tools for conducting privacy and data protection impact assessments are well-established in both the public and private sectors.

Checklist

  1. Conduct a PIA as early as possible, before the DCTT initiative collects or handles any personal information.
  2. Document any potential privacy risks identified by the PIA and how they will be addressed or mitigated by the initiative, including its partners and service providers.
  3. Complement a privacy risk assessment with a data benefit assessment, so that the benefits and risks to individuals, communities, and society as a whole can be considered holistically.
  4. Articulate any countervailing policies or factors that justify accepting whatever residual privacy risks remain.
  5. Publish privacy risk and benefit assessments for public review.
  6. Review PIAs on a regular basis, and update them whenever there is a material change in how personal information is handled.

Key Questions

PLAY 13: TECHNICAL AND OPERATIONAL

Support individual controls and choices

Individuals who choose to adopt digital contact tracing technologies should have their privacy and data protected by design and by default. To the extent possible, individuals should be able to make meaningful choices about how, with whom, and for what purposes their personal information is shared, as well as an ability to change their mind. Users should be able to view, correct, or request the deletion of their personal data, to the extent possible.

Checklist

  1. Let individuals see and access the personal data that the DCTT initiative, including partners and service providers, holds about them.
  2. Give individuals a way to make corrections to the personal data that the DCTT initiative holds about them.
  3. Allow individuals to delete or request the deletion of their personal data, to the extent possible.
  4. Provide individuals with portable, machine-readable copies of their personal information that the individual can transfer to another service if they desire.
  5. Allow individuals to request human review of any automated decision-making that would have a legal or similarly significant effect.

Key Questions

PLAY 14: TECHNICAL AND OPERATIONAL

Apply privacy enhancing technologies (PETs)

Public health initiatives collecting and handling personal information should adopt advanced privacy-preserving and privacy-enhancing technologies from the outset. Sophisticated approaches such as differential privacy or secure multiparty computation should be considered where practical, and technical measures should be complemented with organizational and legal controls. DCTT initiatives should incorporate the most robust privacy-enhancing technologies appropriate given analytic and public health needs, and the techniques and methodologies applied should be published publicly to enable independent review.

Checklist

  1. Incorporate privacy and data protection checks at each stage of the software development lifecycle.
  2. Test systems before deployment with and without incorporation of privacy enhancing technologies to identify areas of greater data leak or data exposure.
  3. Interface often with security and design teams to ensure software architecture choices do not inadvertently undermine incorporation of privacy enhancing technologies.
  4. Publish your technical documentation and methodology so that it is available for public review.

Key Questions

PLAY 15: TECHNICAL AND OPERATIONAL

Prepare DCTT users for possible uses of data in Artificial Intelligence (AI) and Machine Learning (ML)

Machine learning-based technologies can play a substantial role in this pandemic and future public health response measures. Experts can use machine learning to study the virus, test potential treatments, diagnose individuals, analyze the public health impacts, and more. Digital contact tracing data will provide valuable information from which such systems can draw insights into individual and group behavior. When coalitions support DCTT initiatives that expect data will be used in AI or ML research or development, additional data protection precautions must be taken.

Checklist

  1. Monitor DCTT systems that use ML (e.g., to optimize individuals’ experiences or improve functionality of exposure notifications) for performance and model drift.
  2. Utilize privacy-preserving ML techniques, such as federated ML, and monitor them on an ongoing basis to ensure that privacy is maintained.
  3. Conduct extensive audits of ML systems during development, testing, and deployment.
  4. Design stakeholder values into ML systems, where technically feasible.
  5. Conduct differential impact assessments on ‘intermediate models’ of DCTT systems using ML, in order to test whether they create discriminatory impacts.

Key Questions

PLAY 16: TECHNICAL AND OPERATIONAL

Delete or de-identify after the public health emergency

DCTT data processed in response to the crisis should be kept only for the duration of the public health emergency. Once appropriate authorities have determined that the crisis has ended, personal information should be promptly deleted or permanently de-identified. In certain cases, it may be appropriate for non-identifiable information to be kept for limited, public-interest historical and research purposes, subject to appropriate ethical safeguards and controls.

Checklist

  1. Promptly de-identify any remaining personal information after the public health emergency, using robust technical, organizational, and legal safeguards appropriate to the circumstances (see Play 14: Privacy Enhancing Technologies).
  2. Promptly and securely dispose of any remaining personal information after the public health emergency, both physically and electronically.
  3. Communicate with the scientific community early in the initiative’s development process to determine which forms of data should be considered an important part of future scientific research.
  4. Give individuals opportunities to opt-in to public-interest historical and research use of their personal information, where appropriate.

Key Questions

PLAY 17: TECHNICAL AND OPERATIONAL

Seek independent ethical review

Given both the significant benefits to society and the significant privacy risks to individuals of DCTT, it is essential that DCTT initiatives are held to the highest standards of ethical governance and digital design. Ethical reviews are also important for determining which secondary uses of DCTT data, such as public interest or historical research, are appropriate. Such review processes could consist of several components, such as review by an internal committee, an external committee, or a body of collaborative stakeholders. Ethical standards appropriate to DCTT initiatives should be defined by the groups producing or impacted by the technology.

Checklist

  1. Establish an ethical review process to assess the privacy risks arising from collecting, sharing, combining, using, and/or preserving DCTT data.
  2. Require ethical review and ongoing oversight for any new or materially changed data collection practices, features, and uses.
  3. Publish the ethical standards or frameworks that will guide ethical reviews for the initiative.
  4. Gather experts and form an independent body or board that is not involved in the design or conduct of the DCTT initiative and that receives no monetary contribution for any intended collection or uses of the data.
  5. Document the decisions and rationale of each ethical review conducted.

Key Questions