A new report highlights a missed opportunity in the fight against the COVID-19 pandemic: using the mammoth data sets already in the hands of businesses for contract tracing. More than a year into the pandemic, Instagram advertisers can find my location and deduce my interests in “GMAT exam,” “Nike Air Max, and “handmade jewelry.” Yet contact tracers can’t say if a Second Cup outlet that redeemed my loyalty rewards had recent visitors with COVID-19.

What it is: The report comes out of a workshop on a proposed system called Pandemic Intelligence: Trusted Exchange Network, or PI:TEN, from the MaRS Discovery District and Toronto Region Board of Trade. The workshop gathered lawyers, academics, health officials, civil rights groups and data scientists for a “thought experiment”: could a new non-profit safely open Toronto’s Financial District by coordinating existing data collectors like loyalty programs, transit passes and building access cards? 

The report, from the Schwartz Reisman Institute for Technology and Society at the University of Toronto, highlights the roadblocks to harnessing commercial data for public health. Here are just four:

Roadblock 1. One-dose summer: As pandemic fatigue sets in and vaccines roll out, political will may be fading for projects like PI:TEN. But Gillian K. Hadfield, the institute’s director, said in an interview with The Logic it’s still important to prepare digital infrastructure to guard against future COVID-19 variants, or even the next pandemic. To roll out fast in an emergency, something like PI:TEN should be examined by privacy regulators and potential partners ahead of time, said Hadfield. 

Roadblock 2. App apathy: Workshop participants pointed out the low uptake of the Canadian government’s COVID Alert app. Could PI:TEN avoid the same fate? Is the COVID Alert data too limited—and the prospect of getting an alert so low—that it’s not worth it to consumers? Also, would privacy concerns prevent consumers from using it? Is requiring ill people to engage with an app too much? 

Roadblock 3. Businesses on board: Businesses might need to be incentivized—perhaps with a certification akin to DineSafe—to do the heavy lifting of creating consent forms, getting customers to opt in, and ensuring data is formatted, anonymized, safe and deleted from the system in a timely way.

Roadblock 4. The privacy elephant in the room: Workshop participants cited by the report said location data is “extremely sensitive,” and the MaRS Solutions Lab noted that each business added to the network increases the privacy risks by an “order of magnitude.”

It’s not clear where PI:TEN will go, if anywhere. But the idea has raised questions about privacy, and the duty of corporations to share data that would protect the public.