Covid-19 Contact Tracing Apps, a Centralised vs. Decentralised Approach

Photo of a CoVid-19 contact tracing application.

Photo by Mika Baumeister.

The Isle of Wight Trial

The NHS is currently trialling a Covid-19 contact tracing app on the Isle of Wight. The premise of these apps are simple; they monitor either location or distance data, alongside self-reported covid-19 symptoms. If a user becomes infected, the app warns others who have been in the vicinity of the recently infected individual and gives advice to self-isolate for 14 days. The blanket term for this type of preventative measure is contact tracing. Contact tracing is currently successfully employed in the UK to prevent the spread of sexually transmitted diseases. It is hoped that the development of the NHS app can prevent the spread of Covid-19. Unfortunately, there have been significant concerns over user privacy. There has been debate and even controversy on the centralised vs. decentralised approach.


In its current trial state in the Isle of Wight, the NHS app works using Bluetooth data. Each user has a unique ID generated by the app. Whilst a person is travelling with their phone, the app uses Bluetooth to search for other app users. If two people with the app installed on their phone are near each other, then the apps exchange IDs and record the strength of the Bluetooth signal between the phones. Your phone keeps a record of each user which they have encountered and uses the strength of the Bluetooth signal to determine the distance between users. The difference between centralised and decentralised apps is how this data is handled when a user develops symptoms.

Centralised vs. Decentralised

The current NHS model uses a centralised approach. When a user voluntarily tells the app that they have Covid-19 symptoms, the app sends the user’s ID and all ID’s of those that they have been in contact with to a centralised NHS database. This database then sends a message to all individuals that the infected user has been in the vicinity of, advising them to self-isolate.


Google and Apple have criticized this approach and are promoting a decentralised model. In a decentralised model, when a user inputs symptoms, the app only sends the ID of the infected user to the database (opposed to the infected user’s ID and the IDs of everyone they have been in contact with). In this model, the database continually publishes a list of infected user IDs which is downloaded to all phones. Your app compares the list of infected user IDs and the list of users who you have been in contact with. If there is a match, then you are advised to self-isolate.


The centralised vs. decentralised debate is focused on effectiveness vs. privacy. Promoters of the centralised model state that their model gives more insight into the spread of the virus. Supporters of the decentralised model state that their model protects users from the abuse of large quantities of location data by hackers or by the state itself. European Data Protection Supervisor Wojciech Wiewiórowski states that, from a data protection point of view, the preferred option would be a decentralised approach, but the EU data protection authorities aren’t opposed to a centralised system.


Regardless of which model is adopted, the effectiveness of the apps must be considered. Decentralised apps can use data from centralised apps, but centralised apps cannot use data from decentralised apps. Italy, Switzerland, Austria, Latvia, Estonia, Finland, Ireland, Germany and Canada have all indicated that they are moving towards a decentralised model. Whilst France, Singapore and Australia have given indications that they are using a centralised model. The NHS app would not be compatible with the apps from countries using a decentralised model.


With the UK’s announcement that it has hired 25,000 telephone contact tracers it is likely that NHS app will shortly be moving out of its trial phase. A recent report by Oxford University suggested that 60% of a population would need to be using a contact tracing app for it to be effective at halting the pandemic, with a lower uptake only slowing the spread. Will the citizens of the UK be willing to sacrifice their privacy in order to return to normal life?


About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance in a cost-effective manner with minimal disruption. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/

Send us a message

Telephone: 020 3998 9504
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.