The privacy dilemma surrounding the coronavirus contact tracing app

10 June 2020

In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.

Privacy by design?

Contact tracing apps are intrusive by nature, given that they are designed to detect and record when you are close to other app users via Bluetooth signal exchanges and later alert you if any of those users has reported developing coronavirus symptoms. Users who have developed coronavirus must self-isolate and can use the app to obtain coronavirus tests, and those who have recently come into close contact with users displaying symptoms must also self-isolate and, if they develop symptoms, report them via the app.

A contentious issue is whether contact tracing apps should operate based on a ‘centralised’ or ‘decentralised’ model with different approaches being adopted by national governments. The distinction is essentially a matter of privacy, namely are you happy for data about where you have been and who you have been in touch with to be stored on a central repository (the centralised model) or do you want that data to only be analysed locally on your smartphone, so that it is not collated in a third party database (the decentralised model)? In either case, the GDPR requires ‘data protection by design and by default’ which means app developers must put in place appropriate technical and organisational measures to implement the data protection principles and protect individual rights e.g. through the anonymisation or pseudonymisation of data. The NHSX has stated that its app will “not collect personally identifiable data from users” (such as names and full addresses) and that “users will always remain anonymous” (given the use of numerical identifiers for each user). However, the structure of the centralised model currently favoured by the NHSX for its app raises concerns that the anonymous data collected by the NHS could still be used to identify specific individuals.  

Centralised data

As the time of writing, the NHSX app is based on the centralised model, so that the public health authorities can use anonymous data to identify virus hotspots and understand how the disease is spreading.

This is achieved after an ill user anonymously reports their symptoms to the NHS via the app, prompting the app to provide the NHS with anonymous data about all other app users with whom the ill user has recently come into close contact (including the proximity and duration of such contact). Each user who has recently come into close contact with the ill user will also be alerted via the app. 

Despite reassurances from the NHSX that “the data will only ever be used for NHS care, management, evaluation and research” sceptics argue that a centralised system would allow that data to be combined with location data, clinical data and other information to be used for unrelated surveillance purposes after the pandemic. In addition, a large central repository of data is, of course, subject to hacking and the NHS does not have a particularly good recent track record in respect of cybersecurity.

It is important to bear in mind that data processing has to be fair, lawful and transparent in order to be justified under the GDPR. This means that clear information must be provided to app users about what data is collected and how it is used before they download the app. Further, the purpose limitation principle of the GDPR requires that data is not used in unexpected ways. With these points in mind, uses of data by the NHS that adversely impact the rights of individuals are likely to be challenged.

Another point to note is that centralised apps exchange Bluetooth contact signals in the ‘foreground’ of the smartphone which, depending on the smartphone’s operating system, could mean that it must be unlocked at all times with the screen switched on. Data stored on the smartphone will therefore be less secure, given that smartphones are particularly vulnerable to hacking via Bluetooth. In addition, use of a centralised app seems highly likely to rapidly drain the battery life of a smartphone, thereby decreasing the likelihood of the public using the app and undermining its usefulness.

Decentralised data

Apple and Google have developed APIs and operating technology to enable contact tracing based on a decentralised system, whereby smartphones exchange Bluetooth contact signals in the background, even when the smartphone is locked.

Privacy prevails in the decentralised model where, in short, the user anonymously reports their coronavirus symptoms to the public health authority via the app, which will (locally on each user’s device) alert other users who have recently come into close contact with the symptomatic user.

If the NHSX adopts a decentralised system it would receive far less data than it would via the centralised system as, whilst it would know the anonymous identifier of the smartphone that has reported symptoms, it would not know which users that person has come into contact with, as that data stays on the smartphones. However, whilst maintaining increased levels of privacy, the decentralised model arguably makes it more difficult for the NHS to monitor the spread of the disease and protect the health of the public.  

What next?

The NHSX is continuing to test and develop its contact tracing app, however recent media reports have suggested that the continuing delays of its full release are because the NHSX have taken on board privacy concerns and have switched to developing the app on the basis of the decentralised model. This seems prudent given that adopting a centralised app model would leave the UK as an outlier in comparison to the approach taken by other nations, as the majority of countries which have released contact tracing apps are using the decentralised model. Many of those countries have, to date, had far greater success in preventing the spread of coronavirus than the UK e.g. Germany and Australia.

The UK’s strategy to reduce the spread of coronavirus has often initially been at odds with successful approaches taken by other nations, evidenced most clearly by our delay to enter into lockdown. Sadly, it feels that the approach with our contact tracing app is yet another example of the UK failing to quickly to adopt successful approaches used abroad, resulting in unnecessary delays to essential tools in the response to the pandemic.

If you have an enquiry about data protection, please get in touch with our Data Protection team.


Alex Torpey is an Associate in the corporate and commercial department. Alex advises technologystartup and established companies as well as entrepreneurs on a variety of legal issues for commercial contracts including data protection compliance, licensing and ownership of intellectual property rights, confidentiality and liability.


COVID-19 related insights:

COVID-19 related insights:

Our COVID-19 statement

We recognise that these unique times are presenting unprecedented challenges for our clients and we are here to support you in any way we can.

Click to view

Can you get out of or suspend a contract because of Coronavirus?

Alex Torpey covers the key things to look out for if you are relying on the Force Majeure clause.

Watch the video on LinkedIn

Overcoming the challenges of co-parenting for separated and divorced parents

Rachel Freeman, Partner in our Family Law team, addresses some issues that we are seeing arise for separated parents in the current crisis.

Read the blog

Tech in Two Minutes - Episode 7 - The Coronavirus challenge for tech coworking spaces

Andrew Solomon speaks about the challenge for tech companies and coworking spaces during the current COVID-19 pandemic.

Listen to the podcast

The legal basis for lockdown

Alun Milford, Partner in our Criminal Litigation team, provides an in-depth look at the legal basis behind the current lockdown.

Read the blog

Managing your Migrant workforce in the COVID-19 crisis

On Friday 3 April, immigration partner and head of department, Nick Rollason, hosted a webinar looking at urgent issues employers are facing during the COVID-19 crisis and answered some of the key questions being raised.

Watch the webinar recording

Furlough leave and the Coronavirus Job Retention Scheme: key legal considerations for Employers

On Thursday 9 April, Andreas White, Partner in our Employment Law Team, delivered an overview of the scheme with a focus of the key legal issues for UK employers.

Watch the webinar recording

Coronavirus and the perils of signing your Will

Will instructions have apparently risen by 30% since COVID-19 reached our shores. What effect does COVID-19 have on Will signings? James Ward and Diva Shah in our Private Client team blog.

Read the blog

The juggling act of a single mother, home school teacher and head of a family team

Charlotte Bradley, Head of our Family Law Team, reflects on how the COVID-19 crisis has affected working parents like her.

Read the blog

The future public inquiry into COVID-19

Calls for a public inquiry are continuing to mount and are likely to prove difficult to resist. In this blog, Sophie Kemp considers the framework for such inquiries, and the key issues likely to form the core of its terms of reference.

Read the blog

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Skip to content Home About Us Insights Services Contact Accessibility