Faced with the prospect of an ongoing pandemic through 2021 and into 2022, organizations must consider what tools they can use to help them safely re-open for employees and customers. Among these strategies, digital contact tracing (DCT) apps can offer an effective solution for an enterprise, but first you need to sort through a number of considerations.

From the beginning of the COVID-19 pandemic, analysts identified the potential for digital contact tracing systems to supplement or even replace traditional manual methods used by public health authorities. Broadly, contact tracing refers to the process of identifying, tracing, and contacting every person that an individual infected with a communicable disease has encountered. Contact tracing is a longstanding public health tool that has been used by governments in countering the spread of disease. Contemporary society is saturated in technology; almost all of us now carry a supercomputer in our pocket. This has given rise to the notion of ‘digital contact tracing’ – using our devices and digital systems to control the pandemic.

Of the [far more] than 100 DCT apps available throughout the world to date, all differ widely in function, architecture and underlying intention. On the level of architecture and functionality, DCT apps usually integrate some sort of case management functionality alongside either a proximity tracing or location tracking system which notifies the user of potential exposure. Case management functionality is used to carry out diverse tasks such as test and symptom data input, provision of advice and recommendations, reminders and venue check-ins.

Proximity and exposure systems provide the ‘core’ of the apps for they are automatically designed to track who individuals meet, thus automating the work of traditional contact tracing. They are split between Bluetooth and GPS-based systems, which respectively make up ~68% and ~19% of DCT apps we identified, with the remaining ~13% a hybrid of the two. More broadly, the apps are also divided on whether or not they are based around centralized or decentralized processing of data collected by individual devices.

The different apps can have varying design intentions. There are apps designed to limit spread by asymptomatic carriers, apps designed to provide public health authorities with granular information on the spread of COVID-19 in specific areas, apps designed to limit spread and more.

To consider whether your organization needs a contact-tracing strategy, as well as what might work best for your enterprise, consider the following:

  1. Do you even need a contact-tracing strategy?

In defining a digital contact tracing strategy, organizations must decide whether or not they even need one distinct from efforts undertaken by local health authorities. It helps to ask a range of questions.

What is your purpose in having a DCT strategy? Is it reassurance of employees and customers? To eradicate all instances of the disease? To manage risks?

It may be that a good DCT strategy for your organization is as simple as encouraging your employees and customers to ‘check in’ with a public app when entering your premises. Be aware of what your underlying purposes are, and assess available systems accordingly.

Consider the nature of your organization and priorities. Is there something about the nature of your operations that makes COVID-19 especially likely to spread within your premises? Are your employees or customers particularly vulnerable? How much risk of infection can you tolerate? Risk of workplace spread in meat processing facilities, such as at Smithfield Pork factory in South Dakota, are widely known; other sectors which involve close contact over an extended period are at a similar risk.

Consider your geographic context. How widespread are testing facilities in your area? How widespread is the official DCT app in your area, and how effective is the official DCT in picking up who has been exposed to COVID-19? In the United States, no private or official application has yet reached 10% coverage of potential users in its jurisdiction. This is significantly below the University of Oxford's low estimate of 56% as the percentage of the population using a DCT app necessary for effective suppression of the virus. Even world leaders in application uptake such as Singapore and Iceland are still only reaching approximately 40% coverage.

Many apps rely on being tested for COVID-19, and then on the results of that test being shared. Are there testing facilities in your area, and how long can the organization afford to wait for the results? In the absence of testing, symptom-based risk scoring may be of greater utility.

You should also be aware that the government-run test, trace and isolate programs are not of guaranteed efficacy, as recent evidence from King's College London found adherence to self-isolation following exposure may be as low as 18% in the UK. Similarly, the study found recognition of COVID-19 symptoms to be low, indicating the requirement to educate individuals on when to get tested.

  1. How do you select a contact-tracing solution?

Having identified what your needs are, you must then consider the apps themselves and the extent to which they meet your requirements. Interrogate what the app is designed to do, and how it will help you protect your staff and the wider public and manage risks. The function and architecture of the app you choose will impact your ability to tailor your response to your organization’s needs.

In assessing the apps, you should consider the performance of the app in accurately logging proximity and exposure of individual users to one another. Does it meet your needs? Consider how many people have downloaded an app already. Has it been thoroughly tested? Are other enterprises using it?

Aside from the core exposure and proximity functionality, is there any other additional functionality to the system that will help you meet your needs? Additional privacy features, for instance?

It’s important to note that ‘Exposure Notification’ apps are of limited accuracy and require voluntary self-reporting of COVID-19 infection. Frankly put, the bulk of apps on the market are of limited efficacy in logging exposures. In particular, Bluetooth-based systems have well attested weaknesses in proximity logging – even those using the Google/Apple Exposure Notification API (GAEN) are of limited utility in many contexts. One recent study determined that exposure notifications between handsets within rail carriages were no better than random selection; exposure notifications were incorrectly triggered 50% of the time.

Notification-based systems only tell people when they or someone they have encountered have tested positive for COVID-19; this requires both an accurate location picked up by the app, a positive test, and people actually entering their test results. Can you afford the risk that each of these steps works as it should?

Many DCTs are not true contact-tracing tools. Decentralized systems like those using the GAEN API prevent central authorities from seeing which individuals are infected or infectious. Instead, they anonymously update other users of the app for potential exposure to which one has taken a positive test result. This may not fit your organization’s use case.

There are risk-based apps that may be useful to flag the infection risk of symptomatic and asymptomatic individuals prior to a positive test.

In some cases, CSOs may wish to consider moving away from mobile phone-based DCT altogether. Wearable devices may be more suited to the task at hand, and better at identifying who has been in proximity to one another in the workplace. Both wearables and mobile-based systems can also be developed to suit greater indoor accuracy via the use of Bluetooth beacons or WIFI-based tracking indoors.

At a national level, an initiative to distribute wearable Bluetooth-based “tokens” to non-smartphone users has been launched in Singapore. Nevertheless, engendering trust remains an essential component of success, with a study from Nanyang Technological University showing that Singapore’s tokens are still met with concerns over privacy.

  1. Be aware of the trade-offs.

With all of the potential options and solutions available to implement contact tracing, it’s important to be realistic of each solution’s features and trade-offs. For example, use of Bluetooth sacrifices accuracy to preserve privacy. Decentralized processing privileges privacy over capacity for centralized analysis and insights.

Some perceived trade-offs are surmountable. Certain apps utilize anonymous network models to provide centralized processing and personal risk scoring without sacrificing privacy.

  1. Embed DCT use in your organizational context.

This will vary depending on your organization, and could include things like making sure employees and visitors check in on entering a new building or room, requiring employees to update their symptom scores every day, and ensuring all have the most up-to-date version of the apps.

Consider whether you make use of a contact-tracing app voluntary or mandatory, and the sentiments the latter may generate in people connected to your enterprise. If you decide to make an app voluntary at your organization, for example, features which engender trust, such as safeguards over personal data and privacy, may be required to encourage sufficient buy-in.

  1. Ensure trust at all costs.

If workers and customers do not trust the app, it will not be effective in its stated purpose, and attempts to enforce usage of the app may cause discord and tension. In our research, we have found that in regard to DCT apps globally, Bluetooth-based and GAEN based applications are generally the most trusted, especially in countries where trust in government is low. The GAEN API, which was developed by Google and Apple for the purpose of DCT in light of COVID-19, is governed by a privacy-preserving protocol, which is designed to ensure Bluetooth-based applications on their devices are decentralized and Bluetooth-based with personal data encrypted. The trust gained through such features coupled with the favorable public opinion both brands already possess has a tangible effect on voluntary uptake, as apps perceived as untrustworthy have a lower average daily download rate than those which are trusted.

As such, companies must do all they can to ensure that trust in their policies is maintained. To do that, be sure to ensure that ill or self-isolating employees are supported. If employees feel that they will be penalized for reporting their infection status, symptoms, or for using the app in good faith, they will simply lie or find ways to hide their status. Cases where employees have been compelled to hide their illness in tight conditions, such as at a clothing factory in Leicester, have forced businesses and even entire cities into lockdown. As such, it is in the interest of all that self-isolating colleagues continue to be paid. And where relevant, make sure that employees have health coverage for any period of COVID-19-related sickness.

Other important ways to ensure trust within your organization’s response solutions it to communicate clearly on privacy and security and give users autonomy. There has rightly been an intense public debate regarding the privacy risks of DCT apps. Make sure that you communicate clearly to your staff and customers the ways in which the system you choose protects their privacy and security.

Additionally, utilize systems where users are empowered with control of their data, and have access to clear, easy to understand knowledge of their status and risks regarding the pandemic.

  1. Consider your relationship with supply chain stakeholders.

A final consideration with contact-tracing solutions is to determine how the processes will affect or influence other organizations around your enterprise. Depending on the contact-tracing solution you deploy, privacy-preserving data-sharing can be possible. However, most apps will not enable this.