I think it really depends on the nature of the application, because in many of these applications, there's no data that's produced. In the Bluetooth handshakes that are potentially engaging between two telephones using an API, the sole thing that's generated is a synonymized or anonymized key that indicates the contact between the two, and all of the information lives on the phone.
To the question asked by the honourable member, I would say it very much depends on the specifics of the application, but obviously, concerns around data protection and privacy are foremost in the government's operations of anything in the exposure notification space.