This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mHealth and uHealth, is properly cited. The complete bibliographic information, a link to the original publication on https://mhealth.jmir.org/, as well as this copyright and license information must be included.
Digital contact tracing apps have the potential to augment contact tracing systems and disrupt COVID-19 transmission by rapidly identifying secondary cases prior to the onset of infectiousness and linking them into a system of quarantine, testing, and health care worker case management. The international experience of digital contact tracing apps during the COVID-19 pandemic demonstrates how challenging their design and deployment are.
This study aims to derive and summarize best practice guidance for the design of the ideal digital contact tracing app.
A collaborative cross-disciplinary approach was used to derive best practice guidance for designing the ideal digital contact tracing app. A search of the indexed and gray literature was conducted to identify articles describing or evaluating digital contact tracing apps. MEDLINE was searched using a combination of free-text terms and Medical Subject Headings search terms. Gray literature sources searched were the World Health Organization Institutional Repository for Information Sharing, the European Centre for Disease Prevention and Control publications library, and Google, including the websites of many health protection authorities. Articles that were acceptable for inclusion in this evidence synthesis were peer-reviewed publications, cohort studies, randomized trials, modeling studies, technical reports, white papers, and media reports related to digital contact tracing.
Ethical, user experience, privacy and data protection, technical, clinical and societal, and evaluation considerations were identified from the literature. The ideal digital contact tracing app should be voluntary and should be equitably available and accessible. User engagement could be enhanced by small financial incentives, enabling users to tailor aspects of the app to their particular needs and integrating digital contact tracing apps into the wider public health information campaign. Adherence to the principles of good data protection and privacy by design is important to convince target populations to download and use digital contact tracing apps. Bluetooth Low Energy is recommended for a digital contact tracing app's contact event detection, but combining it with ultrasound technology may improve a digital contact tracing app's accuracy. A decentralized privacy-preserving protocol should be followed to enable digital contact tracing app users to exchange and record temporary contact numbers during contact events. The ideal digital contact tracing app should define and risk-stratify contact events according to proximity, duration of contact, and the infectiousness of the case at the time of contact. Evaluating digital contact tracing apps requires data to quantify app downloads, use among COVID-19 cases, successful contact alert generation, contact alert receivers, contact alert receivers that adhere to quarantine and testing recommendations, and the number of contact alert receivers who subsequently are tested positive for COVID-19. The outcomes of digital contact tracing apps' evaluations should be openly reported to allow for the wider public to review the evaluation of the app.
In conclusion, key considerations and best practice guidance for the design of the ideal digital contact tracing app were derived from the literature.
COVID-19 was declared a global pandemic by the World Health Organization (WHO) on March 11, 2020 [
An effective “test and trace” system is key if the most restrictive social distancing measures such as national “stay at home” orders are to be avoided [
A digital contact tracing app (DCTA) is an app that can detect and trace other app-carrying individuals who have had contact with one another that would risk COVID-19 transmission if one were to be infected. Early in the pandemic, DCTAs were seen as a potentially innovative solution to contain COVID-19 by augmenting the effectiveness of manual contact tracing [
On March 20, 2020, Singapore became the first country in the world to launch a national DCTA, TraceTogether [
A collaborative cross-disciplinary approach (
To construct the evidence synthesis, a literature search was conducted using Ovid MEDLINE and Epub Ahead of Print, In-Process, and Other Non-Indexed Citations, Daily and Versions. Free-text terms and Medical Subject Headings search terms were used (
From the scoping review (
The outcome of the literature search shown in
For each consideration, best practice guidance for the design of the IDCTA as derived from the literature by the cross-disciplinary group is summarized.
Literature search flow diagram.
On December 10, 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights, which included the right to health [
There are many frameworks through which the ethics of DCTA’s use can be considered in greater detail. Upshur [
Proportionality, that is, ensuring the intervention is a proportionate response to the public health threat, defines the ethical limits of other aspects of the IDCTA, such as its clinical and societal use and its interference with privacy and data protection rights [
Failure to protect personal data from misuse [
Loss of personal privacy with no personal or societal benefit [
Misuse of limited financial and human resources on an ineffective intervention [
False-positive characterization of contact status (may result in unnecessary quarantining and anxiety) [
False-negative characterization of contact status (may result in further onward disease transmission) [
Loss of trust in public health authorities and public health measures [
The IDCTA should be voluntary and consent-based according to the WHO and ECDC ethical guidance on DCTAs, and this view is also prevalent in the academic literature [
DCTA availability and accessibility must be equitable, and they should not be used in a discriminatory way [
The IDCTA should be designed so that it synchronizes two independent environments, that of public health authorities and that of end users. DCTA user experience considerations can be thought of as those relating to universality and those relating to user engagement.
To support a more holistic approach to the design of the IDCTA, the concept of universality allowed the cross-disciplinary team to identify a series of dimensions to be taken into account, such as accessibility, minors as users, cultural universality, content, availability, and maintenance and frequency of upgrades with the aim of better accommodating different users’ needs, including minors, older adults, people with chronic disease, and those with various forms of disability, so that accessibility and inclusiveness can be ensured [
Regarding user engagement, nine key aspects were identified from across the literature that could help improve engagement: performance feedback, helpfulness, public health measures, educational information, personal information, personalization and control, time and human effort, flexibility or multimodality, and multitasking. Based on these aspects, user requirements that could increase engagement are evident. Engagement could be potentially enhanced by enabling the user to contact their case health care worker should they have questions regarding their COVID-19 diagnosis. Engagement could also potentially be enhanced by allowing users to identify areas where the incidence of COVID-19 infection is high that they may wish to avoid or settings where the risk of contracting COVID-19 when exposed may be highest (eg, public transport routes known to be frequently crowded). Dynamic, consistently updated information on confirmed cases, testing sites, vaccination sites, government restrictions, and preventive strategies could enhance user engagement by making the benefit of using the app more apparent to the users and integrating it with the wider public health information campaign as part of the national COVID-19 response. However, the amount of information presented should not be overwhelming for users. Graphic representation of these data may also be beneficial (eg, visualization may summarize the number of cases or close contacts being reported per day or week). By conveniently providing useful information on the DCTA, it has the potential to engage and help users long-term to protect themselves against COVID-19. The IDCTA should also enable the end user to tailor the app to their particular needs to enhance user engagement. For example, users might find it beneficial to personalize which notifications they receive or to temporarily deactivate the contact tracing function [
Privacy and data considerations of DCTAs are dependent on what their functional requirements are. DCTAs need to maintain a contact log, generate a contact alert, and link users with the test and trace system. The IDCTA needs to perform these functions while respecting individual privacy rights and adhering to data protection regulation [
Lawfulness: Processing of personal data carried out by a controller must have a legal basis under the General Data Protection Regulation.
Fairness: Processing of personal data must be fair toward the individual whose personal data are concerned and avoid being unduly detrimental, unexpected, misleading, or deceptive.
Transparency: Controllers must provide individuals with information regarding the processing of their personal data in a format that is concise, easily accessible, and easy to understand.
Personal data must be collected for specified, explicit, and legitimate purposes.
Personal data that are collected and processed should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
Personal data that are collected should be accurate and, where necessary, kept up to date.
Controllers must hold personal data, in a form that permits the identification of individuals, for no longer than is necessary for the purposes for which the personal data are processed.
Personal data must be processed by controllers only in a manner that ensures the appropriate level of security and confidentiality for the personal data using appropriate technical or organizational measures.
Controllers are responsible for, and must be able to demonstrate compliance with, the other principles of data protection.
To be lawful, there must be a legal basis on which the data are processed [
DCTA contact logs should adhere to the principles of privacy by design and data minimization by collecting only an anonymized identifier unique to each contact event [
When a DCTA user is confirmed to have COVID-19, an exposure notification system is necessary to enable them to alert their contacts. To ensure data collected are accurate, it has been suggested that COIVD-19 cases have their status verified before they can use the exposure notification system to prevent misuse [
In some countries such as South Korea and Israel, interference with individual privacy rights was deemed to be a necessary proportionate response to COVID-19. However, Western societies particularly value privacy [
In May 2020, Google and Apple collaborated to create an application programming interface (API) [
For the IDCTA, the choice of which technology to use to detect contact events will be influenced by its cost, energy use, accuracy, availability, accessibility, adherence to data protection regulation, and by how it effects privacy preservation and overall DCTA effectiveness [
Potential DCTA technologies and the implications of their use.
DCTAa technology | Bluetooth LEb | GPS-enabled geolocation tracking | Bluetooth LE and ultrasound | Ultra-wideband |
Accuracyc | Accuracy reported as 72%d (distance threshold not reported) and 79% (distance threshold 1.5 m); although, independent studies did not reproduce these results [ |
Accurate to within 4.9 m, but concerns that GPS location tracking for COVID-19 contact tracing not feasible due to limited accuracy [ |
Accuracy reported as 55% (distance threshold ≤6 foot) and accuracy reported as 99.6% (distance threshold ≤12 foot) [ |
Highly accurate [ |
Effectiveness in augmenting manual contact tracing | Limited evidence to suggest effectiveness [ |
Limited anecdotal evidence to suggest effectiveness [ |
Insufficient evidence found to suggest effectiveness | No instances of ultra-wideband–enabled DCTAs found in the literature. |
Energy use | Less than GPS [ |
More than Bluetooth LE [ |
Not reported | Low energy use [ |
Accessibility and availability | Widely available [ |
Widely available [ |
Widely available but less so than Bluetooth LE or GPS | Not widely available [ |
Adherence with principle of privacy preservation | Highly adherent (records only proximity) | Less adherent (records location, which is potentially identifiable) | Adherente (records only proximity) | Highly adherent [ |
Adherence with principles of data protection | Adherent | Interferes with the principle of data minimization | Adherent | Adherent |
aDCTA: digital contact tracing app.
bLE: Low Energy.
c(True positives + true negatives) / total number of tests.
dCOVID Tracker Ireland reported being able to accurately identify 72% of close contacts, although field studies supporting this claim have not been published.
ePerception that it has the potential for misuse of audio data [
The IDCTA must enable users to exchange and record temporary contact numbers when they are in contact within prespecified time and distance thresholds [
Ensuring processes that protect personal data from misuse are rigorously enforced is important in building public confidence that their personal data are safe. The European Union has stated that a DCTA should use a decentralized model to protect individual privacy [
Centralized versus decentralized digital contact tracing. Reprinted from Hernández-Orallo et al [
How a contact is defined by the app should also be considered. DCTAs may define contacts according to binary distance (eg, within 2 m) and duration of contact (eg, 15 minutes or less) thresholds in keeping with the definition applied by health authorities [
COVID-19 transmission chain disruption could potentially be enhanced by using DCTAs to augment manual contact tracing [
The IDCTA should avoid functions that necessitate additional data processing that may raise privacy concerns, such as age, sex, location, or ethnicity. Any additional functions should be justifiable, proportionate, privacy preserving, and adherent to data protection regulation. Additional functions should be defined before DCTA deployment in keeping with the data protection principle of purpose limitation [
To be ethical and adherent with data protection regulation, the continued use of a DCTA needs to be supported by evidence that it has been effective in contributing to epidemic control. A DCTA is a multistep intervention. There are several steps where they may fail to effectively disrupt transmission chains, including being downloaded; recording contact events; sending contact alerts; and integrating with the wider contact tracing, testing, quarantine, and isolation systems [
Metrics to evaluate ideal DCTA effectiveness.
Indicator of effectiveness | Purpose | Metric numerator (source) | Metric denominator (source) |
DCTAa is downloaded | To estimate the proportion of the smartphone owning population who download the DCTA | Number of DCTA downloads minus number of DCTA deletions (DCTA) | Number of smartphone owners nationally (Government statistics office; eg, Central Statistics Office, ROIb) |
DCTA is active | To estimate the proportion of DCTAs downloaded that are being used | Number of DCTAs with contact tracing turned on (DCTA) | Number of DCTAs downloaded minus number of DCTAs deleted (DCTA) |
DCTA is active | To estimate the proportion of DCTAs downloaded that are being used | Frequency and duration of use (DCTA) | N/Ac |
DCTA is active | To estimate the proportion of DCTAs downloaded that are being used | Number of DCTAs downloading TCNsd of cases on central server per day (assuming DCTA downloads keys once per day when active; DCTA) | Number of DCTAs downloaded minus number of DCTAs deleted (DCTA) |
DCTA is used by COVID-19 cases | To estimate the DCTA penetration among people who contract COVID-19 | Number of positive test results uploaded to DCTA (DCTA) | Number of COVID-19 cases nationally (national surveillance data) |
DCTA is used by COVID-19 cases | To estimate the DCTA penetration among people who contract COVID-19 | Number of COVID-19 cases who attended a screening center reporting DCTA active use (survey of attendees at testing centers and review of participants’ test results) | Number of COVID-19 cases who attended a screening center (screening center data) |
DCTA is used by COVID-19 cases to notify close contacts | To estimate the proportion of cases using the DCTA who use it to send contact alerts | Number of DCTAs that send a contact alert (DCTA) | Number of DCTAs with a positive COVID-19 test recorded (national surveillance data) |
DCTA is used by COVID-19 cases to notify close contacts | To estimate the proportion of cases using the DCTA who use it to send contact alerts | Number of COVID-19 cases who attended a screening center reporting DCTA active use and who report sending a contact alert (follow-up survey of COVID-19 cases who reported DCTA use at time of screening) | Number of COVID-19 cases who attended a screening center reporting DCTA active use (survey of attendees at testing centers and review of participants’ test results) |
Close contacts using DCTA receive alert | To estimate the DCTA penetration among people who are close contacts | Number of DCTAs that receive a contact alert (DCTA) | Number of close contacts identified nationally (national surveillance data) |
DCTA identifies contacts not identified by manual contact tracing | To demonstrate the DCTA augments manual contact tracing | Number of close contacts attending testing center identified exclusively by DCTA (survey of attendees at testing centers) | Number of close contacts attending testing center (survey of attendees at testing centers) |
DCTA identifies contacts sooner than manual contact tracing | To demonstrate the DCTA augments manual contact tracing | Number of close contacts attending testing center who received contact alert from DCTA before contact alert from manual contact tracing service (survey of attendees at testing centers) | Number of close contacts attending testing center (survey of attendees at testing centers) |
Close contacts using DCTA are tested for COVID-19 | To estimate the proportion of contacts who are tested for COVID-19 and to estimate the number of cases identified by the DCTA | Number of DCTAs with a COVID-19 test result uploaded within 14 days of a contact alert (DCTA) | Number of DCTAs that receive a contact alert (DCTA) |
DCTA associated harm is recognized | To determine what harms, if any, occur with DCTA use | N/A (qualitative survey of DCTA users) | N/A |
aDCTA: digital contact tracing app.
bROI: Republic of Ireland.
cN/A: not applicable.
dTCN: temporary contact number.
Key considerations were ethical, user experience, privacy and data protection, clinical and societal, and evaluation. Proportionality, voluntariness, transparency, trustworthiness, and equity are necessary for the design and deployment of the IDCTA. Universality and user engagement are important user experience considerations that can influence DCTA use in the population. Dimensions of universality that should be taken into account when designing the IDCTA are accessibility, minors as users, cultural universality, content, availability, and maintenance and frequency of upgrades. User engagement could be enhanced by small financial incentives, enabling users to tailor aspects of the app to their particular needs and integrating DCTAs into the wider public health information campaign. If DCTAs are to be trusted, accepted, and used by the target population, they must be adherent to data protection regulation and have privacy by design through all elements, including maintaining contact logs, generating contact alerts, and linking users into the test and trace system. For the IDCTA, the choice of which technology is used will be influenced by its cost, energy use, availability, accessibility, adherence to data protection regulation and principles of privacy by design, and accuracy when detecting contact events. Combining ultrasound technology with Bluetooth LE may improve accuracy by reducing the number of false-positive contacts identified. A decentralized privacy preserving protocol should be followed to enable DCTA users to exchange and record temporary contact numbers during contact events. The IDCTA should define and risk stratify contact events according to proximity, duration of contact, and the infectiousness of the case at the time of contact. Evaluating DCTAs requires data to quantify app downloads, use among COVID-19 cases, successful contact alert generation, contact alert receivers, contact alert receivers that adhere to quarantine and testing recommendations, and the number of contact alert receivers who subsequently are tested positive for COVID-19.
This cross-disciplinary review presents best practice guidance for developing the IDCTA and is informative for those involved in DCTA research, design, and deployment. It also serves as a comprehensive and accessible entry point for those beginning to engage with this research subject, which has evolved significantly after a period of intensive exploration in 2020. DCTAs will likely be a significant research field not only for the remainder of the COVID-19 pandemic but also in the postpandemic era because of a renewed interest and support for pandemic preparedness. Demonstrating the effectiveness of COVID-19 DCTAs is a current research priority [
A weakness of this research was that it did not specifically address how DCTAs should be integrated into the wider test and trace system. There is a need for future dedicated research to synthesize and evaluate evidence, and generate best practice recommendations for this consideration of DCTA deployment. The limitations of this review are that the index and gray literature searches, while extensive, were not performed using systematic review methodology. The inclusion of both indexed and gray literature enabled the derivation of best practice guidance from the literature during a phase of rapid DCTA research and development growth. The cross-disciplinary approach taken to evaluating the evidence was a strength of this research because it allowed varying aspects of DCTA design and deployment to be considered.
Future promising developments in this field may be the use of blockchain technology, ultra-wideband technology, and artificial intelligence in DCTA design. Privacy and data protection concerns are significant barriers to DCTA uptake in Western societies [
In conclusion, key considerations and best practice guidance for the design of the IDCTA were derived from the literature.
Cross-disciplinary approach.
Scoping review.
Search strategy.
Gray literature sources.
Included articles' description.
Ethical frameworks for digital contact tracing apps.
Evidence supporting user experience recommendations.
application programming interface
digital contact tracing app
Decentralized Privacy Preserving Proximity Tracing
European Centre for Disease Prevention and Control
European Data Protection Board
General Data Protection Regulation
ideal digital contact tracing app
Low Energy
National Health Service
Pan-European Privacy Preserving Proximity Tracing
Republic of Ireland
World Health Organization
This study was supported by Science Foundation Ireland grants 20/COV/0133 and 13/RC/2094.
None declared.