How to strike the balance between data accessibility and data privacy in the case of contact tracing applications (Preprint)
BACKGROUND The ongoing COVID-19 pandemic has resulted in the rapid implementation of data-driven innovation, as part of the efforts to curtail the spread of the virus. However, not all digital solutions have been launched expeditiously. A case in point is the adoption of contact tracing mobile applications, although they triggered a debate regarding the issue of data privacy. The objective of our study is to discuss the effective use of digital solutions that are in compliance with data privacy regulations. OBJECTIVE To address the question how to strike the balance between the data accessibility and data confidentiality to ensure the greatest benefit of contact tracing mobile applications. METHODS A systematic review of Pubmed, Medbase, and grey literature was performed. To ensure a standardised approach for reviewing contact tracing applications, two checklists assessing both effectiveness and compliance with data privacy were developed. Based on a scorecard comprising 16 criteria, the ranking of digital solutions was also conducted. RESULTS Overall, 18 applications were reviewed. While seven provided a definition of contact tracing, eight allowed for COVID-19 test result verification and only one defined the efficiency threshold. Explicit consent was requested in 15, and anonymisation techniques and data retention were provided in 14 and 13, respectively. Compliance with data minimisation in terms of Bluetooth was reported in seven cases. Principally, 10 applications collected additional information, of which six adopted anonymisation and/or aggregation for data sharing with a third party. The decentralised approach was identified in eight of 18 cases. With regard to ranking, COVIDSafe received the maximum score (15 of 16 points), while Alipay Health Code ranked last (-3 of 16 points). CONCLUSIONS The compliance with data privacy was the highest with respect to explicit consent and data retention while the lowest with respect to data minimization and sharing in anonymised and aggregated manner. There is still a room for improvement in terms of the usefulness of digital contact tracing in the compliance with data privacy regulations.