The privacy dilemma surrounding the coronavirus contact tracing app

In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.
 

Privacy by design?

Contact tracing apps are intrusive by nature, given that they are designed to detect and record when you are close to other app users via Bluetooth signal exchanges and later alert you if any of those users has reported developing coronavirus symptoms. Users who have developed coronavirus must self-isolate and can use the app to obtain coronavirus tests, and those who have recently come into close contact with users displaying symptoms must also self-isolate and, if they develop symptoms, report them via the app.

A contentious issue is whether contact tracing apps should operate based on a ‘centralised’ or ‘decentralised’ model with different approaches being adopted by national governments. The distinction is essentially a matter of privacy, namely are you happy for data about where you have been and who you have been in touch with to be stored on a central repository (the centralised model) or do you want that data to only be analysed locally on your smartphone, so that it is not collated in a third party database (the decentralised model)? In either case, the GDPR requires ‘data protection by design and by default’ which means app developers must put in place appropriate technical and organisational measures to implement the data protection principles and protect individual rights e.g. through the anonymisation or pseudonymisation of data. The NHSX has stated that its app will “not collect personally identifiable data from users” (such as names and full addresses) and that “users will always remain anonymous” (given the use of numerical identifiers for each user). However, the structure of the centralised model currently favoured by the NHSX for its app raises concerns that the anonymous data collected by the NHS could still be used to identify specific individuals.  

Centralised data

As the time of writing, the NHSX app is based on the centralised model, so that the public health authorities can use anonymous data to identify virus hotspots and understand how the disease is spreading.

This is achieved after an ill user anonymously reports their symptoms to the NHS via the app, prompting the app to provide the NHS with anonymous data about all other app users with whom the ill user has recently come into close contact (including the proximity and duration of such contact). Each user who has recently come into close contact with the ill user will also be alerted via the app. 

Despite reassurances from the NHSX that “the data will only ever be used for NHS care, management, evaluation and research” sceptics argue that a centralised system would allow that data to be combined with location data, clinical data and other information to be used for unrelated surveillance purposes after the pandemic. In addition, a large central repository of data is, of course, subject to hacking and the NHS does not have a particularly good recent track record in respect of cybersecurity.

It is important to bear in mind that data processing has to be fair, lawful and transparent in order to be justified under the GDPR. This means that clear information must be provided to app users about what data is collected and how it is used before they download the app. Further, the purpose limitation principle of the GDPR requires that data is not used in unexpected ways. With these points in mind, uses of data by the NHS that adversely impact the rights of individuals are likely to be challenged.

Another point to note is that centralised apps exchange Bluetooth contact signals in the ‘foreground’ of the smartphone which, depending on the smartphone’s operating system, could mean that it must be unlocked at all times with the screen switched on. Data stored on the smartphone will therefore be less secure, given that smartphones are particularly vulnerable to hacking via Bluetooth. In addition, use of a centralised app seems highly likely to rapidly drain the battery life of a smartphone, thereby decreasing the likelihood of the public using the app and undermining its usefulness.

Decentralised data

Apple and Google have developed APIs and operating technology to enable contact tracing based on a decentralised system, whereby smartphones exchange Bluetooth contact signals in the background, even when the smartphone is locked.

Privacy prevails in the decentralised model where, in short, the user anonymously reports their coronavirus symptoms to the public health authority via the app, which will (locally on each user’s device) alert other users who have recently come into close contact with the symptomatic user.

If the NHSX adopts a decentralised system it would receive far less data than it would via the centralised system as, whilst it would know the anonymous identifier of the smartphone that has reported symptoms, it would not know which users that person has come into contact with, as that data stays on the smartphones. However, whilst maintaining increased levels of privacy, the decentralised model arguably makes it more difficult for the NHS to monitor the spread of the disease and protect the health of the public.  

What next?

The NHSX is continuing to test and develop its contact tracing app, however recent media reports have suggested that the continuing delays of its full release are because the NHSX have taken on board privacy concerns and have switched to developing the app on the basis of the decentralised model. This seems prudent given that adopting a centralised app model would leave the UK as an outlier in comparison to the approach taken by other nations, as the majority of countries which have released contact tracing apps are using the decentralised model. Many of those countries have, to date, had far greater success in preventing the spread of coronavirus than the UK e.g. Germany and Australia.

The UK’s strategy to reduce the spread of coronavirus has often initially been at odds with successful approaches taken by other nations, evidenced most clearly by our delay to enter into lockdown. Sadly, it feels that the approach with our contact tracing app is yet another example of the UK failing to quickly to adopt successful approaches used abroad, resulting in unnecessary delays to essential tools in the response to the pandemic.

If you have an enquiry about data protection, please get in touch with our Data Protection team.

ABOUT THE AUTHOR

Alex Torpey is an Associate in the corporate and commercial department. Alex advises technology, startup and established companies as well as entrepreneurs on a variety of legal issues for commercial contracts including data protection compliance, licensing and ownership of intellectual property rights, confidentiality and liability.