This is the first in a series of four blog posts, in which Susan Wolf and Lynn Wyeth, take a closer look at the government’s proposed NHS COVID 19 contact tracing app (COVID App) from different perspectives.
On 12 April 2020, the UK Government announced that NHSX, a unit of the NHS responsible for digital innovation, was developing a COVID 19 contact tracing app to help in its attempts to combat the coronavirus pandemic. A trial began on the Isle of Wight on 5 May. This could result in the app being improved before it is used more widely across the UK.
In this first blog we explain what the proposed app will look like, how it will work and how it compares with other contact tracing apps. This will be followed by an analysis of the data protection issues raised by the introduction of the app in the UK. The third blog will examine some of the wider privacy and Human Right’s concerns and the fourth blog will look at more detailed issues relating to anonymisation, the use of the data for research purposes and the impact on data subjects’ rights.
What is Contact Tracing?
Contact tracing has been used for many years throughout the world to enable public health organisations to try and identify who people with contagious diseases have been in contact with so that they can be warned that they may be at risk. It has traditionally involved a manual exercise of a health professional working with a diagnosed patient to try and establish who they may have been in close contact with during the infectious period of the disease. However, with the number of smart phone users worldwide surpassing 3.8 billion (more than half the world’s population) mobile phones can provide a much faster and more accurate tracing system.
What is a Contact Tracing App?
A contact tracing app is a smart phone application that automatically warns people if they have been in close contact with someone who later reports that they have COVID 19 symptoms or who has tested positive. App users are allocated a unique identifier that is transmitted by bluetooth signal on their phone. When they come into close contact with other app users their unique ID’s are exchanged, via bluetooth, between phones. The Telegraph Newspaper neatly describes it as a form of “digital handshake.”
According to Wikipedia, 15 countries have developed a contact tracing app and many others are in the process.
The Different App Models
What happens to the information that is stored on a contact tracing app user’s phone depends upon the type of app that is being used. In recent weeks it has become clear that contact tracing these apps fall into two broad “types” and, according to the Guardian Newspaper on 7th May 2020, the world is split between the so-called decentralised and centralised models. What basically differentiates the two models is the way in which the information that is stored on users’ phones is processed and used to notify others.
The distinguishing feature of the “decentralised model” is that unique ID’s are matched on a user’s smart phone and are not transferred to any central server held by a government or private sector organisation. If a user tests positive for COVID 19 they would “inform” the app, which will would then identify and then notify other app users who have been in close contact with them. The “match” takes place entirely on the user’s smart phone.
When a contact receives a notification this too is entirely private to them. In other words, public health or government organisations are not notified that a user has been in proximity to an infected person. The general perception appears to be that the decentralised model is more “privacy friendly”. According to the Parliamentary Joint Committee on Human Rights , the Information Commissioner’s Office, privacy experts and organisations, as well as the European Parliament and the European Data Protection Board (EDPB) have indicated a preference for a decentralised approach.
Most decentralised models use the Apple and Google programming interface (“APIs”) which supports the contract tracing. This is an important point because it allows the interoperability of bluetooth communication between Apple iPhones and Android phones. The former normally switch off the bluetooth function when the phone is locked; however this API allows bluetooth to function even when an iPhone is locked, thus enabling the contact tracing to operate at all times.
In contrast the “centralised model” involves the transfer of information from the users’ smartphones to a remote server operated by a government organisation or by the private sector on their behalf. The central server then determines who is at risk and who should be notified. The perception is that the centralised model is a less privacy friendly option. However it does allow for useful data to be transferred to a public health organisation and used for epidemiological purposes. A recent BBC article provides a useful graphic illustration of the differences between the two models.
The NHS COVID App
The UK NHS COVID App falls into the general category of “centralised” apps. It is still being piloted in the Isle of Wight and is currently the subject of considerable media and political debate.
Once it is finalised the app will be available for smart phone users to download from the Apple or Google stores. Take up will be voluntary. The information below is based on our current understanding of how the app will work, although this may change in the coming weeks.
Once the app is downloaded users need to provide the first half of their postcode but no other personal information. This will be used along with a random string of numbers to provide each user with their own unique ID. We are told that the first part of the postcode is necessary to enable the NHS to see where there are any COVID 19 hotspots.
When NHS COVID App users come into contact with other app users their phones will exchange the unique ID’s. The app can use bluetooth to measure the distance between people who have the app installed on their phones. The NHS website refers to this as “anonymous proximity information.” However it is debatable whether the unique ID is truly anonymised given the very extremely high threshold for complete anonymity.
Once this information is stored on the phone nothing will happen for 28 days.
The information will be deleted unless the app user intervenes by notifying the NHS that they have COVID 19 symptoms or have tested positive. Alternatively app users can delete the app, and this will delete all of the data, although any data already transmitted to the NHS via notification will not be deleted by the app user.
It has been reported that Apple and Google have refused to make their API available to the NHS to support the use of the NHS app. It remains unclear what the current situation is regarding this.
As it currently stands (and to the best of our knowledge) the app has one central question “How are you feeling today?” If the app user taps that they are feeling unwell they are then they are asked whether they have a high temperature and a persistent cough. If a person indicates that they have both these symptoms, then they are prompted to select a date when the symptoms started.
The ‘centralised’ feature of this app is that if somebody is reporting that they are ill with COVID 19 or have symptoms, then the NHS will receive the unique ID of the person reporting that they are ill along with the unique ID’s of all the other people who they have come into proximity with. It is this transfer of data from the app user’s phone to a remote server that makes this system ‘centralised’.
However, it remains unclear whether notification is mandatory or voluntary. According to the NHS website, users can “allow the NHS COVID 19 app to inform the NHS”.
This wording suggests that this notification to the NHS is voluntary. If this is the case, then this raises some concerns about the value of the system since it would appear to depend upon voluntary notification. There are concerns that if people notify on the basis of symptoms alone it could result in over notification. In Germany the contact tracing app will only trigger alerts if users have tested positive for COVID 19.
On receipt of the information the NHS will use a “risk algorithm” to determine whether the people the user has come into contact with need to be notified. If it identifies that other users need to be notified, they will receive an alert.
The success of the app relies upon various factors including:
- The sufficient take up by members of the public. At the moment it looks like the app will be voluntary. It has been reported that government aides think that the app will need to be downloaded by 60% of the population in order to be effective.
Transport Secretary Grant Shapps said at the daily briefing on Thursday that more than 72,300 out of 140,000 residents in the Isle of Wight have downloaded the app.
- The technology working (see above regarding the Apple and Google programming interface).
- The willingness of members of the public to notify the app that they have tested positive or have COVID 19 symptoms. The former depends upon the availability of testing facilities and the fast turnaround of test results. In a letter to Health Secretary Matt Hancock, the chairman of the Royal College of GPs said long wait times were “undermining confidence” in the results.
The extent to which members of the public will be willing to install and use the app will no doubt depend on whether members of the public believe that the use of the app will help reduce the spread of the virus and save lives. But for others there will inevitably be concerns about the privacy implications of using the app. Some important questions need to be answered:
- What will happened to the data after it has been used?
- How long will it be held?
- Is there a danger of the data being used for other purposes?
- What ifs use of the app is made a condition for an “immunity passport”?
The answers to these questions will have a big impact on the extent to which the app complies with GDPR and Human Rights law. We will be looking at these issues in more detail these questions in forthcoming blogs. Stay tuned!
Susan Wolf and Lynn Wyeth and are Associates with Act Now Training. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online GDPR Practitioner Certificate course is fully booked. We have 1 place left on the course starting on 11th June.