UK switches its Covid-19 tracing app model

On 18 June, the UK government switched from a centralised Covid-19 tracing app model to a decentralised model based on the Google-Apple platform where the data resides on the mobile device. An aim is to reassure users and develop trust that their privacy is well-protected. Their data will not suffer from mission creep by being used for other purposes, for example by the police. A downside of this policy shift is that it will be more difficult for the government to monitor the trajectory of the pandemic.

The UK’s National Health Service had developed a model based on a Swiss company’s knowhow, had several privacy protections built-in and had consulted the UK’s Information Commissioner. But a negative factor in the trial was that the app failed to work effectively with Apple phones when they were “asleep.”

Some countries, such as Germany, have chosen a decentralised model from the start, while others, such as Italy and Denmark, have switched from a centralised to a de-centralised model. Australia is sticking with its centralised model.

The EDPB explains the privacy law dimension

On 16 June, the European Data Protection Board (EDPB), the group of national DPAs in the European Economic Area, adopted a statement on the interoperability of contact tracing applications, building on their April Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 pandemic. The statement highlights some of the more important privacy principles related to tracing apps including: “transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy.” The EDPB makes it clear that “the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential up-take.”

While the ICO no longer has an automatic place on the EDPB, but is invited only when needed, these principles advocated by the EDPB are not controversial and are entirely consistent with the UK’s Data Protection Act. 2018.

See Privacy aspects of Australia’s CovidSAFE contact tracing app - PL&B's first podcast