The NHS Covid contact tracing app: risks and safeguards

As Britain enters its second month of lockdown, Boris Johnson’s government is under intense pressure to reveal its lockdown exit strategy. Health and social care secretary Matt Hancock says implementation of a “test, track and trace” approach will be key to lifting the lockdown while avoiding a second wave of infections.

So what is contact tracing? It is a monitoring process comprising various elements: identification of infected persons (including by way of self-reporting and verification); contact identification (of individuals who have been in contact with an infected person); contact listing (of the relevant individuals, who will be informed of their contact status and receive advice as to actions to be taken); and contact follow up (as a way of monitoring symptoms).

Contact tracing - threat to privacy?

In a liberal democracy like the UK, the effectiveness of a contact tracing strategy relies on voluntary participation by the population. But contact tracing poses risks to individuals’ fundamental freedoms, in particular their right to privacy, and can potentially impact businesses if it is misused.

Given the strong public interest in implementing a contact tracing strategy, it is crucial to address the individuals’ perceived concerns with contact tracing, in order to avoid it being seen as an unjustified trade off of individual freedoms for public health, and to secure mass voluntary participation.

Like most of its European counterparts, one of the key aspects of the UK’s proposed nationwide model of contact tracing is the use of an app – NHS CV19 – which is being developed by NHSX, the National Health Service digital transformation unit. The intention is that all information on the app will be anonymised, and therefore that the alerts will only disclose information about proximity to the virus and whether other users are experiencing symptoms.

Contact tracing apps hold considerable promise. But use of the CV19 app is not intended to be mandatory and there is evidence that voluntary take up tends to be low. In Singapore, where a contact tracing app was launched last month, less than 20 percent of the population reportedly installed it.

A recent report led by Oxford University academics suggests that the epidemic can be suppressed with 80 percent of all smartphone users in the UK using the app, which corresponds to 56 percent of the population overall (assuming no use of the app in children under the age of 10, and low use of smartphones and therefore of the app in adults over the age of 70).

This is a real challenge, not least because, as NHSX recognises, many will be concerned that contact tracing apps may undermine their right to privacy. These concerns arise from the potential (whether by reason of lack of compliance with applicable laws, a faulty design or a potential data breach) for:

• Exposure of an infected individual’s medical condition (which in data protection law constitutes special category data, the processing of which involves stricter conditions than that of other personal data).
• Use of the data collected by the contact tracing app for purposes other than management of the pandemic (e.g. for commercial or law enforcement purposes).
• Wider, unjustified collection of personal data about an individual. This can occur, for instance, where the app also tracks individuals’ physical movement through location data, which is reported to be more accurate than the data obtained by using Bluetooth Low Energy technology (the technology which will be used by the CV19 app).

Of course, the case for contact tracing apps is that their negative impact on individuals’ right to privacy is massively outweighed by saving thousands of lives and allowing economic and social life to return to normal more quickly.

But another perceived risk needs to be flagged, which is that if the data becomes available to the public (whether by reason of a faulty design or the app or a data breach), people may avoid visiting an outlet that an infected individual is reported to have attended. A more remote risk, of which there have reportedly been cases in China and South Korea, is that business owners may be subject to blackmail where self-reporting of symptoms is done in bad faith.

Putting security measures in place

Addressing these perceived risks involves implementing three types of safeguards. The starting point is to design an app which incorporates strong security measures preventing data breaches and uses the least intrusive technology to record when a phone has come into close proximity with anyone else using the app. That is what NHSX have set out to do.

It will then be necessary to ensure that the app’s processing of individuals’ personal data is carried out in accordance with applicable data protection laws. This will involve, in particular, clearly defining who the data controller is (thereby limiting access to data to those who need to access it); what the purposes of the processing activity are (these must be strictly limited to the management of the covid-19 pandemic); and what the lawful basis of the processing is (which will not necessarily be based on the users’ consent, even if the use of the app is voluntary).

It will also be necessary to carry out a data protection impact assessment, which involves a systematic analysis of the data protection risks of a processing activity in order to identify and minimise them

It will also be necessary to ensure that the use of personal data is adequate, necessary and proportionate. The proposed anonymisation of the personal data which will be processed through the app will be crucial in achieving this. Beyond anonymisation, the processing activity will need to comply with applicable data protection principles such as the data minimisation and storage limitation period principles (which will ensure that the app only collects data which is strictly necessary for the purposes of contact tracing, and that the data is not retained indefinitely).

It will also be necessary to carry out a data protection impact assessment, which involves a systematic analysis of the data protection risks of a processing activity in order to identify and minimise them. The data protection impact assessment should be published and made available to the public.

Finally, the public information campaign about the app will need to inform the general population not only about the existence of the app and its benefits, but also about the fact that the app is secure and minimises intrusion and interference with users’ rights as much as possible. It should set out in plain language the steps taken to achieve this.

Taking the above steps should ensure the highest possible level of take up, and therefore the ultimate efficiency of the app.