Simplifying and Automating


When Privacy Matters | Not all Digital Contact Tracing Solutions Are Alike

13 November, 2020 | Sebastian Andreatta

Personally Identifiable Information Data secure digital contact tracingWith the arrival of fall months and cooler weather, outbreaks of COVID 19 are increasing and institutions are struggling to keep their programs active. Many colleges and universities are already planning to transition from remote to on-site instruction after the holidays. In all cases, institutions are coming to grips with the necessity of planning for the long haul, where they expect to coexist with this pandemic for some time.  A growing number of forward thinking administrators are looking longer term to be alert and prepared for similar challenges to campus health in the future.

Educational leaders are understanding better the best practices in dealing with the pandemic: wear masks, test regularly, isolate when necessary, clean infected areas immediately and perform contact tracing.  The last is the most complicated because it requires manual contacting to locate exposed people. As done now, this takes time and effort and has relatively low compliance. In short, manual tracing is far too slow in a large dynamic environment like a campus, so the solution is to enhance the contact tracing program with digital discovery and exposure analysis.  By augmenting with automated digital solutions, an organization can quickly identify all exposed individuals and react immediately to isolate and test affected people and places.  Unlike this past spring, there are now a plethora of solutions to help.

The problem now is not whether, or even how, to provide automated contact tracing, but which solution would be most effective for their campuses. Since the data collected to help identify infected individuals are by definition sensitive personal health data (both PII (Personally Identifiable Information) and HIPAA), the question at the top of the list when evaluating alternatives: Is this solution truly private?

Any solution you select should meet some basic criteria:


  1. Must not compromise personal privacy
  2. Should not put the organization at risk
  3. Should not risk delaying your response
  4. Should not require investing in a disposable solution (point solutions that offer no long term value for your investment).


To make an informed decision, an administrator needs to look a bit under the hood of any solution and ask a few questions:

Is sensitive user data truly secure? Ideally, the vendor provides a complete and integrated solution that has privacy designed from the ground up. Things to look for:

  • It’s critical to collect encrypted data to guarantee security. The solution should collect only the information necessary to accomplish the task and analysis should be performed with encrypted data, where only authorized personnel can access decrypted details.
  • The solution should be end-to-end, i.e. it should incorporate your own registration, human resources, and authentication systems. Vendors that leave this critical task to you or a consultant should disclose the additional cost and deployment impact.
  • Products that are built with analysis in mind are designed to provide or facilitate easy integration with your internal applications. Products that are not optimized could be marketing a standard offering as a “contact tracing solution,” with only minimal attention to integration and security.
  • In all cases, you should look at the company’s experience and level of expertise in analyzing sensitive data. Look at a vendor’s core solution; demonstrable experience in this sort of analysis is the difference between an expertly designed solution and a product rebranding as “me too.”

Is the data centralized or distributed? Centralized data means the information is located in a central repository (a local secured server, or secure Cloud account). Distributed means that the data may be on multiple devices and databases.

Centralized data affords much tighter control and security of the information–regardless if it’s in the cloud or held locally, an organization can provide encryption and access security to make sure that only authorized individuals can access it. Distributed information gathering systems (as with Bluetooth based apps for contract tracing) have the advantage of giving control to the app owner, but they also create many more opportunities for data breaches.

Who can access the data? The contact tracing provider should implement enhanced security, such as two factor authentication. Only critical health and security managers should be allowed to view PII. When additional features are implemented, the authentication access should be enabled for only the class of data managers who must have access. There should also be a system of record to audit data access and what was searched.

Can the data support other needs beyond contact tracing? This question speaks to the value provided by the vendor (giving you more bang for your buck). When analyzed, data collected can not only be used to alert infected individuals, but also identify locations that need to be cleaned, alert health teams when people are violating social distancing protocols, and understand how to reengineer facilities to minimize congestion for everyone on campus.

Data Sunset.  The system should be sophisticated enough to automatically delete and retire any search and associated data. In the case of COVID and based on CDC guidelines, data after 14 days is no longer relevant and should be deleted.


Know your Tech Tracing Options


Digital solutions from Bluetooth-based apps (think Apple and Google COVID solution) to WiFi-based tracing are all readily available. Both promise to identify individuals who are infected, and either alert the individuals or the institution to take preventative measures. However, in many cases the data captured is not always secured or collected in a manner that retains privacy standards required to protect individual information.

Bluetooth apps are ubiquitous, but unfortunately, with time, they have proven to be increasingly unreliable, prone to false positives (and the institution is not informed of any results).  Many implementations are shown to not provide adequate privacy protections. When considering Bluetooth applications, one must be assured that management and control over the data are secure. The nature of these apps is they ostensibly keep the data only on the device. However, they provide their service via a cloud service (Apple, Google, Salesforce, and others) which is inherently insecure. A recent study from the University of Utah analyzed 60 apps for contact tracing and found that over 50% were not as secure as advertised. In Germany, a national effort for a contact tracing app was dropped when researchers identified critical privacy issues.  These apps require a third party (like Apple or Google) to collect and manage exposure data. Finally, in order for the solution to work at all, apps require a very high adoption rate AND app users must regularly report their health status. A combined adoption and usage rate of 65-70% is needed for a solution to be effective. The best adoption rates in the West are under 40% (Iceland).

Solutions using existing WiFi infrastructure are inherently more reliable and accurate and takes advantage of your existing infrastructure, but the way different vendors implement contact tracing may leave your institution at risk of exposing sensitive data and subject to privacy breaches. Many WiFi device vendors promise they are contact tracing “capable” but require substantial development or third party support to integrate with HR and Authentication and Registration systems in order to effectively identify, locate and alert the affected individuals. Most enterprise WiFi manufacturer solutions only provide local rudimentary information from individual access points, making it incomplete at best and requiring substantial integration effort to provide meaningful and secure contact tracing. In all cases, when vendors require you to integrate your systems on your own or through contract development, inevitably, this opens up opportunities for a data breach. It’s like building the airplane as you fly it.


Make your Decision


So how do you select a solution that is both accurate and able to deliver truly secure and private protection of student and staff PII data?

For starters, focus on solutions coming from vendors experienced in mobile user analytics and who understand privacy requirements such as GDPR and CCPA from the start. Make sure the privacy is the core of the solution and not a bolted on afterthought. Next, since this is an investment make sure you get multiples of value for your dollar. Well thought out solutions will enable you to meet other health objectives such as targeted cleaning, site management and physical security. These solutions will also be able to adapt to other health and wellness requirements over the coming years (even flu season could be better managed). Look out for hidden costs such as integration charges for adapting to your institution’s environment. The ideal solution is comprehensive and inclusive of your campus’ unique campus management systems. And finally, a vendor that has access to unencrypted information could compromise PII without your knowledge.

Making a decision can take a bit of time, but it is time well worth spending before you invest in any solution that could expose sensitive information to outside actors and give your institution a failing grade in protecting your student and staff health and personal data.

About the author:

Sebastian Andreatta is a co-founder and COO of Kiana Analytics, recently included in Gartner’s “CIO Guide: How Location Services Can Help Mitigate COVID-19 Spread”. TO learn more visit