We are now all familiar with the latest Government Coronavirus slogan: “test, track and trace”. Central to this new mantra is the NHSX App developed in conjunction with Oxford University and VMWare designed to inform users if they have been in contact with anyone who has tested positive for COVID-19. NHSX is a Government unit founded a year ago with responsibility for setting national policy and developing best practice for National Health Service technology, digital and data, including data sharing and transparency.
While many countries have adopted contact tracing applications as a part of the fight against COVID-19, the UK – together with Japan and France – has adopted a unique approach by creating a centralised application where information is sent to a remote server (as opposed to being stored on the phone). Although supporters of the UK’s centralised model argue it will give the Government more insight into the spread of COVID-19, backers of the decentralised approach argue theirs offers a higher degree of privacy and reduces risk of hackers obtaining the data through a central server.
On the face of it, the benefits of the NHSX App currently being trialled on the Isle of Wight are obvious; the hope is by pinpointing more precisely individuals who should be in quarantine the Government will be able to safely ease the lock-down restrictions for the rest of the country. However, contact tracing is not without its drawbacks and by adopting a centralised approach the Government must ensure it navigates the regulatory requirements of the GDPR and the Data Protection Act 2018, because the NHSX App relies on the processing of personal data and special category data (i.e. sensitive personal data).
Although they have existed for many years as a tool of good practice to help ensure compliance with key data protection obligations, GDPR introduced for the first time a legal requirement for a Data Protection Impact Assessment (DPIA) to be carried out in respect of processing activities which are likely to result in a high risk for individuals.
Hence it came as no real surprise that the ICO’s latest guidance, published on 4 May 2020 stated that “a Data Protection Impact Assessment (DPIA) is required for contact tracing solutions prior to implementation, given that the processing is likely to result in a high risk to the rights and freedoms of individuals.”
In this article, we attempt to assess the impact of the proposed contact tracing NHSX App against four of the core principles of the GDPR: Lawfulness, fairness and transparency; purpose limitation; data minimisation and accuracy. These principles are at the heart of the GDPR and should guide the Government’s approach to implementing the NHSX App.
Lawfulness, fairness and transparency
To comply with GDPR, information must be obtained fairly, and the individual must know how their medical and personal information is going to be used. To this end, the NHSX App will only collect three data points: the first half of the user’s postcode, the model of each user’s phone and information related to the user’s Bluetooth activity. The Government hopes that these data points can help them understand where, how and when COVID-19 is spreading.
Whilst use of the NHSX App will be entirely voluntary, the more people who download and use it, the more effective it will be in monitoring the spread of COVID-19 and help towards the easing of lockdown conditions. However, academics from the University of Oxford say that at least 60 per cent of the population would need to actively use the NHSX App to reduce the spread of COVID-19.
As widespread user adoption is essential to the success of contact tracing, the Government needs to produce a clear and transparent statement of purpose in order to encourage the population to have confidence in the NHSX App without fearing for what other purpose the Government might use their data. The Government should also make all the DPIA documentation related to the NHSX App available to the general public to ensure that data subjects are sufficiently informed about the privacy risks before downloading and using the NHSX App.
The stated purpose of the NHSX App is to track individuals who have been exposed to COVID-19, to require them to self-isolate and those with whom they have had recent contact. However, there are legitimate concerns that the purpose and functionality of the NHSX App could potentially become wider than originally anticipated by adding features which could ultimately become tools for mass surveillance even after COVID-19 has been controlled, mitigated or vaccinated against. Measures should therefore be in place to cease the processing of the data obtained from using the NHSX App once its primary purpose has been achieved and even to deactivate the NHSX App permanently.
Additionally, individuals should be updated where any change to the original purpose is proposed. Any new features should be subject to a continuous DPIA process (which should also be published on an ongoing basis) where the rights and freedoms of individuals are weighed against the benefits of the new feature. The key, in each instance, will be to ensure that any measures taken do not go beyond the stated purpose.
It is essential to the principal of data minimisation that the NHSX App does not collect any more personal data than is strictly necessary to stop the spread of COVID-19.
Although the NHSX App has been created to collect as little user information as possible (for example, GPS is not enabled and the NHSX App relies on Bluetooth to track interactions between individuals nor is there is any need to provide names or email addresses) that is not to say that the data processed through the NHSX App is truly anonymous, at least not from a legal standpoint.
Under the GDPR, “personal data” is defined as any information that can identify a living individual. While the Bluetooth logging system in the NHSX App doesn’t collect location information, or other types of data, it does create an identifier (known as Installation ID) for every phone that uses the NHSX App. This counts as something that could lead to the identification of an individual.
In Downing Street briefings during the Pandemic crisis, the Health Secretary, Matt Hancock, has consistently emphasised that the NHSX App does not collect ‘personal data’. Whilst it is true that the NHSX App does not collect a user’s name, email address or terrestrial address it does collect information which is considered ‘personal’ from a legal perspective. The Government should therefore exercise caution when using legal definitions to ensure that they are accurate.
Perhaps an understated consideration in the DPIA of the NHSX App is the principle of accuracy. This is especially important because inaccurate data would render the NHSX App useless. At present, the use of Bluetooth for contact tracing has not been properly trialled and there are technological concerns around the accuracy of Bluetooth for these purposes. Darren Scott, managing director of Deane Computer Solutions, points out that “Bluetooth is unable to accurately measure distance between two devices which could therefore result in false positive.” For example, it goes without saying that Bluetooth is unable to determine whether a person is wearing PPE. It is difficult for any Government to justify the collection of personal data if the data cannot be used effectively for the stated purpose.
Ultimately, at least for now, the NHSX App remains voluntary and each individual must decide how much personal data they are willing to provide in order to reduce the spread of COVID-19 and contribute to the easing of the lockdown and a return to something resembling the normality we enjoyed beforehand.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.