Data privacy groups pile in on UK contact-tracing app

UK-based digital privacy and free speech campaigning organisation files complaint with the Information Commissioner’s Office about contact-tracing app

After making the promise in May of no less than a “world-beating” test, trace and isolate (TTI) regime by 1 June, the contact tracing app at the heart of the programme is yet to be launched – but even as the government scrambles to get it out to the public, more bodies from disparate groups have warned that the proposed application will pose a threat to user privacy, thus hampering uptake.

The whole story of the UK’s contact-tracing app has been one of unmitigated struggle. The contact-tracing app became available for download as a test on the Isle of Wight from 4 May 2020, using Bluetooth Low Energy technology to alert people who may have been exposed to the coronavirus so that they can take action to protect themselves.

Once installed, the app logs the distance between a user’s smartphone and other phones nearby that also have the app installed. The anonymous log of how close users are to others will be stored securely on the user’s phone. If a user becomes unwell with symptoms of Covid-19, they can allow the app to inform the NHS of their status, which will then, subject to risk analysis, trigger an anonymous alert to other app users with whom the user has come into significant contact over the previous few days.

Yet almost as soon as the first details of the app’s capability were announced, critics weighed in with concerns over what it could achieve, its technical capability, and whether the public could, or would, make representative use of it. Particular concerns were held over whether the app’s centralised nature would lead to privacy breaches and whether it would be any use at all though a lack of user uptake. Details have also emerged of a shadow app development project.

These worries have persisted past the two officially stated launch dates of first mid-May 2020 and then 1 June, with the UK government attracting criticism for not only not launching the product as scheduled but also not being able to say when it may launch, and exactly how many people that have downloaded it during the Isle of Wight test are actually using it – or how many are self-isolating as a result of following the operating procedures.

And flatly contradicting official assurances, more bad news for the programme came when The Guardian reported on 4 June that Tony Prestedge, the chief operating officer of the NHS scheme, had told his staff in a webinar that the programme would be “imperfect” at launch and that he hoped it would be operational at a world-class level in three to four months.

“I am sure when [Dido Harding, chief executive of the Track and Trace scheme] announces this service later she will make clear that it is an imperfect service at launch, and that we will improve over time and make it world-class by the time we are moving towards the September or October time,” he said.

Read more about the security of contact tracing

  • Governance and data decentralisation are among measures that organisations can take to allay security and privacy concerns over contact-tracing apps, according to RSA.
  • Human Rights Committee chair Harriet Harman says current data protection law is not up to the job of governing the data collected by the Covid-19 contact-tracing app.
  • The Covid-19 pandemic has necessitated extreme measures not seen in peacetime for over 100 years. Contact-tracing apps are being developed as a tool for managing the pandemic, but are they a step too far?

Taking to BBC Radio and TV on 5 June in attempt to refute The Guardian’s report, UK Transport secretary Grant Shapps inadvertently admitted on The Today Programme that Prestedge was referring to the app and not the programme as whole when speaking about delays.

Now, the UK government is facing calls for an investigation from the UK Information Commission’s Office (ICO) into alleged breaches of data protection laws by the NHS Test and Trace regime.

When the first details of the app were revealed in April 2020, ICO commissioner Elizabeth Denham warned that while the ICO recognised the vital role that data can play in tracking the pandemic and the need to act urgently, people had to have trust and confidence in the way personal data is used to respond to the Covid-19 crisis.

UK-based digital privacy and free speech campaigning organisation the Open Rights Group (ORG) has instructed the legal director of the data rights agency AWO, Ravi Naik, to file a complaint with the ICO concerning the national roll-out of Test and Trace, asserting that the system has been deployed in breach of GDPR regulations.

ORG’s lawyers have also separately written to Matt Hancock, the secretary of state for health, Matthew Gould, the CEO of NHSX at the UK National Health Service’s digital innovation unit, and Duncan Selbie, chief executive of Public Health England, asking for clarity around the Test and Trace system.

ORG argues that to-date, there has been no data protection impact assessment as required by law, leaving no confidence that risks are adequately mitigated. It added that security risks have already been identified that place people at risk and that its 20-year data retention period was “excessive”, and likely to put people off participation; the programme’s commercial and research purposes are unclear as matters stand – making the retention period even more problematic – and that the privacy notice associated with Test and Trace is flawed.

“The ICO must act to enforce the law,” said ORG executive director Jim Killock. “The government is moving too fast, and breaking things as a result. If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the Track and Trace programme. Public health objectives are being undermined by failures to get privacy and data protection basics in place.”

Not fit for purpose

As ORG was making its statement, Michael Lewis, professor of life science innovation at the University of Birmingham and non-executive chairman of iPlato, the developers of the myGP NHS patient healthcare app, slammed the whole process of the contact-tracing app development, asserting that there was no “fit-for-purpose” Covid-19 track and trace app in the UK. He said the NHS’s desire to control patient data has got in the way of development, and was now “costing lives unnecessarily”.  

In a frank statement of opinion, Lewis argued that the reason the UK was still without a fully functioning track and trace app is due to the NHS’s belief that patient data is its asset, and its subsequent efforts to guard it from the tech moguls. However, by going its own way, he said that the NHS has taken on the mantle of “below-par” software development, as seen with the NHS App and with the Covid-19 track and trace app.

“Putting this simply, Google does not do brain surgery, so why should the NHS build or specify technology?” he said. “The NHS exists to treat patients – not to build technology – and as a result we are seeing inevitable delays, scope creep, partial solutions, and high costs. During this time, lives are lost. The NHS track and trace app was originally planned for a mid-May national launch and is still not fit for purpose.”

Offering a solution, Lewis suggested that enabling Google and Apple temporary access to patient data, as used in decentralised apps which are in use in a number of other countries, in the interest of health or potentially lives, seemed “reasonable”, especially when there was no guarantee that people could trust the state to guard user data.

“In reality, anyone online already shares health data with Google and Apple every day, from simple search history to location data and app usage, right through to our purchasing history and our calendars,” he said.

“With this in mind, as long as there are reasonable parameters in place in terms of how long the tech giants can access patients’ data for, one could say that the data horse has already bolted, and the philosophical debate about who owns what should be put aside in the interest of delivering a functional track and trace technology that can impact a 15-20 % reduction in Covid-19 transmission and save lives from day one.”

Read more on Mobile apps and software