A new data governance model for contact tracing: Authorized Public Purpose Access

The use of contact tracing apps during the COVID-19 pandemic has sparked debate about the impact of such tools on privacy and human rights. Contact tracing apps can be powerful weapons against the virus – but they can also be tools for state surveillance.

In response to government efforts, several private-sector initiatives have emerged that promise to be more conscious of privacy. Among them is an exposure-notification platform developed by Google and Apple (Apple-Google Exposure Notification Framework, or AGF). The platform shields users from government monitoring, but in doing so, effectively places the technology developers (the data holders) in the role of the state. This raises the stakes for governing how these private companies use the data they collect.

In addition, AGF enrolls participants using a consent-based model, which has sometimes proven inadequate to control of the spread of infectious diseases; countries that have made active use of personal data have, on the whole, been more successful at suppressing the virus. The challenge, especially during a deadly pandemic, is to balance the rights of individuals with the needs of society at large.

Broadly speaking, contact tracing apps fall into three categories:

1. Centralized tools to isolate infected people and restrict access to facilities and other areas, based on the user’s infection status or degree of contact with infected or potentially infected people. Such apps are generally used to enforce state-determined restrictions on individuals’ movements and behavior, with participation mandated by authorities. Examples include China’s app to limit access to facilities, and South Korea’s app to isolate infected people.

2. Decentralized tools designed for use by public health authorities to identify close contacts of infected people. Various regulatory and technological means are employed to ensure privacy and participation is voluntary. Examples include apps using location data (India, Iceland, Ghana) or Bluetooth (Singapore, Australia, UK, France).

3. Decentralized tools designed to promote behavioral change in individuals by notifying them about potential contacts with infected people. The identities of close contacts are not shared with authorities. Examples include apps using fully anonymized data (Germany, Switzerland, Estonia) or only location data (Israel).

A decentralized, consent-based approach solves the user-data problem, but could be ineffective in tackling the virus. To be effective, these apps need a participation rate of more than 60% of the population. Singapore's TraceTogether – one of the more advanced and assertively promoted contract tracing apps in the world – has a penetration rate of 37%, and Australia's COVIDsafe has a penetration rate of 22%. If the use of the app is not compulsory, achieving the required participation rate is likely to be difficult.

Critics argue that approaches relying too much on users’ consent to protect privacy cannot adequately address infectious diseases such as COVID-19. On the other hand, there is growing concern that centralized, data-based approaches will lead to a “surveillance society.”

Until now, the contact tracing discussion has been framed as a choice between two options: consent or anonymization. That is, tracing apps must either secure individual’s explicit consent or strip the data they collect of any identifying personal information.

Are those really the only choices?

We think other solutions are possible. The Authorized Public Purpose Access (APPA) framework developed for a recent World Economic Forum whitepaper is not consent-based, nor does it rely on the anonymization of data in the absence of consent. It addresses – and seeks to balance – three key factors: individual rights, the interests of data holders, and the public interest.

Under APPA, personal data can sometimes be accessed and used without explicit individual consent, provided this is done for a specific, widely agreed-upon public purpose. The key governance question shifts from “who owns a given piece of data” to “who should be allowed to access the data, under what circumstances?”

In the case of COVID-19, the broad public purpose for accessing and using data — information about people’s health, movements and so on — is to suppress the spread of the virus and save lives. Specific public health goals and approaches will inevitably vary from country to country, but APPA can encompass a wide range of values. The framework assumes the purpose is legitimately “authorized” – that it is the product of social consensus and overseen by entities trusted by the public. Only when those conditions are met can governance be considered appropriate.

APPA-based data governance provides a topline view regarding how data would be accessed by a tool using this framework. These steps are:

Using this framework, COVID-19 tracing apps that don’t use data with personal information would receive a “green light”. Since there are no privacy restrictions, such data use would require no further vetting.

Apps that trace contacts between individuals, in contrast, inevitably require personal information. That takes us to step two: Check for consent. If the person associated with the data has consented to its use, that is another green light. Many contact tracing apps, including the Google-Apple platform, use this model.

APPA’s distinctive governance framework comes into play in step three. Until this point, the vetting process has been consistent with existing consent-based approaches to managing personal information. But consent-based measures aren’t enough to suppress the spread of the disease. Under APPA, it would be possible to open access to personal data needed to track COVID-19, so long as that purpose has been widely agreed upon and the kind of data to be used clearly defined.

An APPA “White List” of approved data might be created though the passage of special laws. (This, essentially, is the approach taken by South Korea, which amended its privacy law in 2015 to address public-health emergencies.

The APPA approach also includes third-party oversight. New data-management platforms such as Data Commons have the potential to protect individual rights by integrating third-party auditing. An important remaining task for governments and other decision-making bodies is to determine how third-party organizations will be established and certified, and exactly what kinds of data access they will be empowered to audit.

Right now, the path to the end of the COVID-19 pandemic remains unclear. In an ever-changing situation, more discussions with a wide range of stakeholders could make APPA a reality.

This change will not be easy and will require a new social consensus that embraces the use of technology to resolve problems for the good of all. This new mindset would balance concerns over privacy and other issues with the potential to create value and improve lives.

Still, the pandemic has shown that massive change can come quickly – and that broad collaboration is possible. APPA would not just assist in the live-saving effort to conquer COVID-19, but could also activate a new technology mindset. Such a shift could usher in a new era of data governance that balances individual rights, the interests of data holders and the public interest for future technological solutions.

Contributing to this article include: Chizuru Suga, Head of the World Economic Forum Centre for the Fourth Industrial Revolution Japan; Seiichiro Yamamoto, Project Lead for Healthcare Data Policy; Jonathan Soble, Editorial and Communication Lead; Shigehiro Muraki, Head of Administration; Fumiko Kudo, Project Strategy Lead; Yusuke Inoue, Healthcare Data Policy Project Fellow; Reiko Onodera, Healthcare Data Policy Project Fellow; Yasunori Suzue Healthcare Data Policy Project Fellow