Due to the COVID-19 crisis, businesses and governments have developed contact tracing apps to help health authorities overcome the situation. Although the effectiveness of those applications is still unclear, they happen to process large amounts of personal data. Respectively some of them tend to operate in the gray area of data protection regulations like GDPR and HIPAA.
Here comes the important questions – how is the collected sensitive data processed by those mobile apps? Basically, there are two main approaches of data storing – locally on the user’s device or on a centralized server.
This approach entails sending the personal data collected straight to a centralized server. Countries like Germany, for example, make sure that the data is first anonymized before being passed to the server. Others, however, like China, tend to send quite a lot of identifiable information to the external server. This, of course, is a matter of local data protection regulations and standards.
One of the main disadvantages of this methodology is that after the information is sent to the server it can be passed to third parties such as authorities and analytics companies, for instance. This can possibly lead abuse and misuse of sensitive personal data.
Graph 1: German Corona-Datenspende app process
By using a Bluetooth Low Energy technology, the decentralized approach relies on keeping the data locally on the user’s device. Each user gets a pseudonymized ID and the idea is to keep a log of the people with whom you have been in a proximity to within the past weeks. If somebody anonymously declares themselves as COVID-19 positive, all those who have been in contact with him/her will be alerted and provided with further advice.
With the decentralized privacy design implemented the user’s data will remain fully anonymous and it cannot be passed to third parties. That way we prevent the possible abuse of data.
Graph 2: Apple-Google app process
When it comes to the question – centralized vs. decentralized approach, the European data protection community agrees on the advantages of the decentralized methodology. They argue that the centralized approach risks putting pressure on fundamental European rights since it requires data to be stored on an external server where sensitive information such as location and health status can be violated. Despite that plenty of governments and companies still decide to rely on the centralized approach, which they consider a better fit for their policy-making.
If you would like to explore the topic further, watch the recording of our “Privacy in Time of Pandemic: Centralized vs. Decentralized Approach” webinar to take a closer look at both the technical and practical sides of the two approaches. Anton Gerunov, Co-founder and COO of LogSentinel, compares the two methodologies and discusses the pros and cons of each. He reviews some of the most widely downloaded contact tracing apps such as the Singapore’s TraceTogether and the China’s health code app.
In case you are currently looking to protect the sensitive data your systems collect and store, you should consider LogSentinel’s information security and compliance solutions. SentinelDB, our privacy-by-design, GDPR-compliant database, is designed to fully conform to major privacy and data protection regulations like GDPR, HIPAA and CCPA. It encrypts each record separately using field-level encryption with a secure key hierarchy so that no data breach can occur.
If you’d like to hear more about how we cover all data protection and audit trail requirements, just click on the button bellow and book a convenient slot.