• False negatives due to reliance on the index case remembering and knowing the contacts and the specifics of the encounter and the lack of skills of the contact tracer
• False positives can be mitigated by skilled contact tracers and gathering of information about the context and intensity of the contact

• Elapsed time of days between confirmed infection and identification of contacts
• Elapsed time might increase with spike in contagion without proportionate scaling of the contact tracing staff

• Possible

Insights in transmission routes

• Person-to-person, environmental
• Presymptomatic
• Asymptomatic

• All transmission routes can be covered (unclear how environmental transmission is detected though)

• Possible, as the index cases and potentially infected contacts are identified.

• Possible through analysis of the data gathered

Efficient use of resources

• Triage
• Testing
• Contact tracers

• Possible on triage and testing
• As a method for contact tracing, this is very resource-intensive

• Direct interoperability with test results
• Regional interoperability: probable
• International interoperability: unclear
• Epidemiological surveillance: probable

• Depending on the privacy preservation approach and possible mitigating measures like healthcare provisioning

• Reach is not relevant
• Scale is problematic. With exponential character of contagion if R0>1, staffing up will not be possible

• Experience at this scale does not exist in Belgium
• Staffing and information system provisioning is ongoing.
• Scaling is problematic. With exponential character of contagion if R0>1, staffing up will be challenging

• System depends on the memory of the index cases, on their availability, on their contact availability, on the working hours of contact tracers, on the skills of the contact tracers

• Although this system is ‘tried-and-true’ it has never been applied at the current scale.

Minimal Requirements

• GDPR compliance

• Although the initial plans were rejected by the Data Protection Authority, it is to be expected that an adapted version will be green-lighted and therefore must be GDPR compliant.
• Assumption is that the processing will be based on the legal ground ‘public interest (art. 6, 1, e GDPR) and shall be laid down in a Belgian legislative framework
• Personal data about index case (identity, whereabouts, contacts, health status) is gathered with collaboration of the data subject
• Personal data about interpersonal contacts (identity, partial whereabouts, partial contacts) is gathered without consent. This raises questions whether this is proportionate to the intended purpose.
• Only data of infected and potentially infected subjects are stored.

Augmented Requirements

• Adhere to the joint civil society statement: “States use of digital surveillance technologies to fight pandemic must respect human rights” (see Joint Civil Society Statement)
• Solution is temporary
• Purposes are limited to responding to the pandemic and phasing out the restrictive measures
• Principle of least privilege
• The way back to normality is known
• Full Transparency (code, data, algorithms)
• Granular user consent, regardless of the legal base
• No mandatory use by citizens
• No access to data except for public health authorities, subject to consent
• Strictly limited retention period
• No support for law and policy enforcement
• No commercial exploitation

Applicability and details unclear. Due to the cost and low scalability, the risk of repurposing the method is low. Data repurposing is not impossible.

Zero-Trust model specific requirements

• No trust must be expected from any party besides the developer
• The solution must only transfer and centralise truly anonymous data
• The anonymous nature of the data must be transparent and under scrutiny
• The remaining surface attack must be secured
• Transparency and scrutiny on the security measures

Trust-based specific requirements

• Proper governance and oversight on the Trusted Party to strictly limit the processing to the stated purpose
• Vetting of the personnel having access to the data
• Applying the Principle of Least Privilege among the personnel of the data processor
• Code of conduct for the personnel, actively enforced
• Strict application of encryption in transit and at rest until the latest possible moment before processing
• Reducing the attack surface to a minimum and securing it
• Systematically distrusting any party not under direct control of the Trusted Party (like infrastructure providers)
• Transparency and scrutiny on the security measures
• Pseudonymisation without storage of re-personalisation data
• Shortest possible retention period, preferably rolling
• Applying data minimisation, limit the data centralised