The NHSX Covid-19 tracing app makes privacy headline news



The NHSX Covid-19 app has done more to draw the attention of the media and the public to the role of mobile apps and their privacy risks in a shorter time than most people would think possible. An anonymous tracing app appears to offer an attractive tech solution to reduce the spread of the coronavirus.

By contrast, the gradual relaxation of the stay at home policy is subject to fluid interpretation, particularly for people who live near the English/Welsh border or English/Scottish border where the rules differ. As for the Northern Ireland/Republic of Ireland border, Ireland is using the Google/Apple app which is different from the UK-based app. As a consequence, it may be more difficult to calculate the Reproduction rate of the disease and therefore work out how to tackle it.

Intelligent balanced discussion, as at the hearing of Parliament’s Joint Committee on Human Rights (p.8) revealed that the privacy arguments in favour of collection and storage of data on the app held by individuals has to be balanced against the central collection of anonymous data by the National Health Service. The advantage of collecting data at the centre is that it enables the identification of trends and regional hot spots to help plan health care provision to mitigate the impact of the virus leading to improved health outcomes.

Fortunately, the European legislators built flexibility into the GDPR which provides for a legal ground to enable employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject (p.11).

Why the Isle of Wight?

In the words of the official app information: “The app is being launched on the Isle of Wight as part of the first phase of a large-scale, integrated phone-based contact tracing and swab testing programme. This will play a central role in how the UK manages the rate of coronavirus transmission going forward.”

The Isle of Wight is attracting an unprecedented amount of attention as the place chosen to test the app before it is rolled out nationally. It makes perfect sense with its defined and separate location from the mainland, its cohesive island identity (now given an important national mission), its relatively small population, its compact size, and its fully integrated NHS service.

As of 11 May, the 88,000 households on the island had received letters leading to over 55,000 app downloads representing over half of the adults. Everyone over the age of 16 is encouraged to download the app. Although not all are necessarily resident on the island, it is assumed that the great majority are based there.

With an app hurriedly prepared by NHSX in consultation with the National Cyber Security Centre and the ICO, the privacy protections are, as a consequence, tangible. The app’s communication is based on short distance Bluetooth Low Energy and not deployment of satellite-based GPS data which could potentially be used for surveillance purposes.

Privacy issues, challenges or problems

Some people have made the case for using the combined tracing app produced by Apple and Google, but a “Made in Europe” solution within a European regulatory framework seems to me to be the right choice. However, these tech giants are fully involved in that the app has to be downloaded from their app stores.

We have been fortunate to secure the insights of an Isle of Wight resident, Frank Madden, whose day job is Global Privacy Consultant at IBM UK, and his daughter, Sionna Madden, who has more apps expertise than her father, he tells us.

How does the app work?

“When I downloaded the app, there is a data and privacy link. It declares that all data is anonymous and that it actually cannot trace your location. The leaflet that accompanies the letter we received states that there is no GPS, nor ability to record location. The app simply records how far away I am from someone else with the same app. From there, I would apparently be advised of that other person who has reported that they have been infected, which we must do. An anonymous message is then sent to all those who have been in proximity.”

“What the guidance however did not state is that this will be reviewed to determine whether the tech is actually working properly and whether this tracing is still necessary. A Data Protection Impact Assessment (DPIA) should be mandatory, undertaken every 30 days - and the DPIA should be published for all to see, to achieve the first principle of lawfulness, fairness and transparency.”

Some privacy positives

The official advice is “Using the app is voluntary and you can delete it at any time.”

Madden explained why he considers the app to be based on the principle of anonymity. “Prior to downloading the app, I had to input my post code. The link also states that the app cannot access my personal identity nor any other information on my iPhone. I did not have to input my full post code; only the first four digits. So it would not be possible to pinpoint my exact location. And there is no use of GPS. So yes, anonymous.”

He continued: “If you do not have an iPhone or a Smartphone, and have tested positive, you will be rung on your landline and advised accordingly.” When asked how that happens if name-linked data is not uploaded to the system, he replied: “If you have tested positive, you are to use the app to report that information. A message is then sent to those you have come into contact with, advising them what they must do to stop the virus spreading.”
Referring to the app’s legal basis, he commented: “Article 9 of the GDPR on Special Categories of Personal Data provides a vital interest exception. So even if my personal data were somehow visible, I would not need to give my explicit consent for data concerning my health. Nevertheless, I was willing to be traced for this purpose in the short term.”

In terms of the increasingly important practical User Experience (UX), users do not have to miss their usual apps: “Users can have the Covid-19 app open in the background, whilst another, unrelated App has been opened in the foreground. Both apps are visible on the screen.”

Some privacy negatives

Regarding the app’s privacy policy, Madden found it not accessible: “The app can only be downloaded from the Apple App store, or from Google Play. Fortunately, I have an account with Apple. Nevertheless, I had to agree to Apple's Terms & conditions (T's and C's) - 18 pages, which I could not read on my iPhone, so asked to have them emailed to me. I received confirmation of the download from Apple shortly after. The link to the T's & C's - which were at the bottom of the email, and not at all prominent within - stated The page you’re looking for can’t be found. So I am no clearer on what T's & C's I actually agreed to.”

Less tech savvy residents face additional problems: “Even if your iPhone has either of these apps already on your mobile, I think that may be an issue for older residents, as in addition to having an iPhone/Smartphone and accessing Bluetooth, you also have to have an account with one of these vendors - not just showing the app on your screen - who then mandate that you have to agree to their T's & Cs as well. I didn't expect that, as I thought I would just find the link on the NHS site and click on it.” When asked whether the app fails on the understandability test, he replied: “Yes, I would agree that it has not been fully explained.”

Asked about the duration of the Isle of Wight test, he responded: “That is not clear. It is a test. Once modelling and improvements are made to the app, it is expected that it will be rolled out elsewhere in England. We expect it will be part of life here in the Island for some time. The only criticism I have heard from others here is that older mobile phones are not compatible with the app.” The app supports system 8 and above for Android, and 11 and above for iOS. The official app information explains that the app does not yet work with older Android and Apple phones nor Huawei mobile phones but the plan is that it will do so.

Madden continued “But so far, no grumbling about having to have it, given that you cannot be traced. Indeed, those trying to continue to work - and unclear whether or not they are providing necessary services - are reassured that they can download the app without fear of being tracked or traced, potentially violating the lockdown conditions.”

*******

With health services quite properly in the spotlight, this record 32 page PL&B UK Report has a front page interview by Laura Linkomies with Barry Moult. He is the winner of the 2020 ICO Practitioner Award for Excellence in Data Protection. He is an Information Governance and Privacy Consultant, and was formerly Head of Information Governance and Health Records at the Colchester Hospital University NHS Foundation Trust. He makes it clear that the Data Protection Act, the Freedom of Information Act and records management are closely related elements of Information Governance. The ICO remains the supervisory agency for these laws, although there are adjustments in its priorities (pp.15 and 29).

40 years ago this month, I made the case for a UK Freedom of Information Act which was enacted in 2000. Now in 2020, transparency is the norm. It is the basis of trust, and fundamental to the government’s development of the Covid-19 tracing app and its handling of the health crisis in general. There can be debate over the merits of government policies, but all sides now recognise the advantages of a well-informed and well-educated public in planning for the future.

Regards,

Stewart Dresner, Publisher

 

UK Report 109

Lead story:

Returning to work: Covid-19 and the UK data protection perspective

Nicola Fulford and Hannah Jackson of Hogan Lovells report on the data protection aspects organisations should consider with regard to coronavirus testing and processing of health data.

Contents also include:

  • Comment: Stay alert to Covid-19 DP issues
  • ICO award winner Barry Moult
  • Calls for legislation to secure privacy for contact tracing app
  • PL&B coronavirus survey
  • SMEs need practical GDPR guidance
  • Morrisons data breach
  • Scientific research and GDPR
  • Artificial Intelligence regulation
  • Covid-19 challenges for DSARs
  • Adtech: Assessing the lawful basis
  • Tips for managing data breaches
  • ICO eases up on FOI deadlines
  • ICO spotlights Covid-19 privacy
  • Guidance on DP and coronavirus
  • CCTV guidelines issued
  • ICO defines its priorities
  • UK adequacy and Brexit talks
  • ICO steps back on enforcement
  • Covid app: Primary legislation?
  • Research on digital identities
  • ICO investigates TikTok
  • AI and public standards
  • ICO consults on AI auditing framework
  • £171,000 fine for unsolicited calls