From the end of March through early May, Castlebridge conducted a series of desk research activities into the complex world of Contact Tracing applications. These desk research reports were provided as input into Contact Tracing application development processes in Ireland and other jurisdictions and helped inform the commentary and input the Castlebridge team was making on this topic in various media.

In the interests of supporting future discussion on this topic, we have decided to make some of these commercial research reports available for open access at this time.

Each document represents the best efforts research at the date the document was prepared based on available sources. As this was an incredibly fast moving area in the month of April, there are a number of sources of information that are not included or referenced but which we feel provide extremely valuable additional context in this area. In particular, the work of Doug Leith and Stephen Farrell in Trinity College Dublin is important reading that adds an important rigour on the question of the adequacy of the data being processed for the stated need.

An Operating Layer Model for Contact Tracing Applicatoins

 

The diagram opposite summarises some of the areas of concern and highlights that the data protection and data quality issues in these type of applications arise at a number of levels ranging from the laws of physics governing the radio signal environment in which the Bluetooth LTE sub-systems on a device are attempting to record Signal Strength and other factors, which must then be interpreted and analysed within the device Operating System or an API layer that can interact with the operating system to access the data recorded from the BTLE layer.

And all of that is before we get to the question of how the Public Health Application sitting on top of all of that on the device presents information about what is being done with data, drives communication events in response to Exposure Notification Triggers etc. At each layer in this model, there are potential issues in terms of basis for processing, adequacy, accuracy, and fitness for purpose. And a DPIA needs to address these issues robustly to ensure that appropriate expectations are set and managed and that the appropriate public health objectives are correctly supported.

It is our hope that this framework, and the background research that contributed to us developing it as a way of putting some context on the various issues that need to be considered in any robust assessment of this type of technology implementation.

 

Castlebridge Reports – March/April 2020

ReportDescriptionDate
Initial research report30th March 2020
Version 2.5End April 2020
Executive Summary to Version 2.5End April 2020