The privacy dilemma surrounding the coronavirus contact tracing app

10 June 2020

In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.

Privacy by design?

Contact tracing apps are intrusive by nature, given that they are designed to detect and record when you are close to other app users via Bluetooth signal exchanges and later alert you if any of those users has reported developing coronavirus symptoms. Users who have developed coronavirus must self-isolate and can use the app to obtain coronavirus tests, and those who have recently come into close contact with users displaying symptoms must also self-isolate and, if they develop symptoms, report them via the app.

A contentious issue is whether contact tracing apps should operate based on a ‘centralised’ or ‘decentralised’ model with different approaches being adopted by national governments. The distinction is essentially a matter of privacy, namely are you happy for data about where you have been and who you have been in touch with to be stored on a central repository (the centralised model) or do you want that data to only be analysed locally on your smartphone, so that it is not collated in a third party database (the decentralised model)? In either case, the GDPR requires ‘data protection by design and by default’ which means app developers must put in place appropriate technical and organisational measures to implement the data protection principles and protect individual rights e.g. through the anonymisation or pseudonymisation of data. The NHSX has stated that its app will “not collect personally identifiable data from users” (such as names and full addresses) and that “users will always remain anonymous” (given the use of numerical identifiers for each user). However, the structure of the centralised model currently favoured by the NHSX for its app raises concerns that the anonymous data collected by the NHS could still be used to identify specific individuals.  

Centralised data

As the time of writing, the NHSX app is based on the centralised model, so that the public health authorities can use anonymous data to identify virus hotspots and understand how the disease is spreading.

This is achieved after an ill user anonymously reports their symptoms to the NHS via the app, prompting the app to provide the NHS with anonymous data about all other app users with whom the ill user has recently come into close contact (including the proximity and duration of such contact). Each user who has recently come into close contact with the ill user will also be alerted via the app. 

Despite reassurances from the NHSX that “the data will only ever be used for NHS care, management, evaluation and research” sceptics argue that a centralised system would allow that data to be combined with location data, clinical data and other information to be used for unrelated surveillance purposes after the pandemic. In addition, a large central repository of data is, of course, subject to hacking and the NHS does not have a particularly good recent track record in respect of cybersecurity.

It is important to bear in mind that data processing has to be fair, lawful and transparent in order to be justified under the GDPR. This means that clear information must be provided to app users about what data is collected and how it is used before they download the app. Further, the purpose limitation principle of the GDPR requires that data is not used in unexpected ways. With these points in mind, uses of data by the NHS that adversely impact the rights of individuals are likely to be challenged.

Another point to note is that centralised apps exchange Bluetooth contact signals in the ‘foreground’ of the smartphone which, depending on the smartphone’s operating system, could mean that it must be unlocked at all times with the screen switched on. Data stored on the smartphone will therefore be less secure, given that smartphones are particularly vulnerable to hacking via Bluetooth. In addition, use of a centralised app seems highly likely to rapidly drain the battery life of a smartphone, thereby decreasing the likelihood of the public using the app and undermining its usefulness.

Decentralised data

Apple and Google have developed APIs and operating technology to enable contact tracing based on a decentralised system, whereby smartphones exchange Bluetooth contact signals in the background, even when the smartphone is locked.

Privacy prevails in the decentralised model where, in short, the user anonymously reports their coronavirus symptoms to the public health authority via the app, which will (locally on each user’s device) alert other users who have recently come into close contact with the symptomatic user.

If the NHSX adopts a decentralised system it would receive far less data than it would via the centralised system as, whilst it would know the anonymous identifier of the smartphone that has reported symptoms, it would not know which users that person has come into contact with, as that data stays on the smartphones. However, whilst maintaining increased levels of privacy, the decentralised model arguably makes it more difficult for the NHS to monitor the spread of the disease and protect the health of the public.  

What next?

The NHSX is continuing to test and develop its contact tracing app, however recent media reports have suggested that the continuing delays of its full release are because the NHSX have taken on board privacy concerns and have switched to developing the app on the basis of the decentralised model. This seems prudent given that adopting a centralised app model would leave the UK as an outlier in comparison to the approach taken by other nations, as the majority of countries which have released contact tracing apps are using the decentralised model. Many of those countries have, to date, had far greater success in preventing the spread of coronavirus than the UK e.g. Germany and Australia.

The UK’s strategy to reduce the spread of coronavirus has often initially been at odds with successful approaches taken by other nations, evidenced most clearly by our delay to enter into lockdown. Sadly, it feels that the approach with our contact tracing app is yet another example of the UK failing to quickly to adopt successful approaches used abroad, resulting in unnecessary delays to essential tools in the response to the pandemic.

If you have an enquiry about data protection, please get in touch with our Data Protection team.


Alex Torpey is an Associate in the corporate and commercial department. Alex advises technologystartup and established companies as well as entrepreneurs on a variety of legal issues for commercial contracts including data protection compliance, licensing and ownership of intellectual property rights, confidentiality and liability.


Latest blogs and news

Recent tribunal cases involving Covid-19

Nick Ralph looks in detail at recent cases that have stemmed from the pandemic, including a refusal to attend work due to fear of contracting the virus.

Covid vaccination and the workplace – what you need to know

One of the most topical issues regarding Covid-19 is that of vaccination and whether it should be mandatory. 

Stories regarding big employers such as Citibank in the US mandating vaccination as a condition of employment (“no jab, no job”), the experience of great sports personalities such as Novak Djokovic and the decision of the Supreme Court in the US last week regarding laws mandating vaccination in the private sector, have all brought this issue into the spotlight.

So what is the legal position in the UK?  

The Covid-19 Inquiry – the importance of the terms of reference

Any day now the Covid-19 Inquiry will publish draft terms of reference. This will be a significant event.  Once agreed, the terms of reference will determine the scope and length of the inquiry which is due to begin its work in the Spring.  In turn this will have a direct impact on how valuable the inquiry turns out to be.  

The future of the City: An insight into the effect of coronavirus on commercial tenants

On 16 March 2020 Number 10 advised those living in the UK against “non-essential travel” in order to curb the growing outbreak of Coronavirus. This encouraged many office-based businesses to communicate to their employees that they should work from home until further notice. 

Back to the workplace – the new guidance and key considerations for employers

With lockdown restrictions moving to “Stage 4” of the Government’s roadmap to recovery, one of the key questions will be what this means with regard to returning to the workplace and, in a recent article, we considered the rights of employees on this issue.

COVID-19 Fraud: HMRC ramps up its investigations activity

In March 2021 the Chancellor announced the establishment of a taskforce to investigate those who may have fraudulently made use of government schemes set up to protect individuals and businesses against the economic impact of COVID-19 – such as the Coronavirus Job Retention Scheme (CJRS) (widely referred to as the Furlough scheme), the Self-Employment Income Support Scheme (SEISS) and the ‘Eat Out to Help Out’ Scheme.

Mandatory Covid-19 Vaccinations for Care Home Workers

This week, the Government announced that Covid-19 vaccinations will be made compulsory for care home staff, raising strong emotions on both sides of the argument.

How immune are COVID-19 relief scheme fraudsters from law enforcement action?

The devastating economic impact of the COVID-19 pandemic has led to unprecedented levels of government support aimed at keeping jobs intact and businesses afloat. Although the news is beginning to promise a path out of lockdown and a gradual return to some degree of normality, equally as prominent are reports of fraudulent abuse of the COVID-19 support schemes and the government’s planned response.

Arrests of care home workers following COVID-19 outbreaks: a review of criminal liability

In late February 2021 a news article reported that a care home worker had been arrested on suspicion of gross negligence manslaughter after a patient died of COVID-19. In late March 2021, two further care home workers were arrested on suspicion of wilful neglect. We look at how those working in care homes can potentially face criminal liability in respect of COVID-19 cases.

COVID-19 Fraud: New Taxpayer Protection Taskforce

In the Budget 2021, presented to Parliament on 3 March, the Chancellor announced that HMRC will establish a taskforce to investigate those who have fraudulently made use of government schemes set up to protect individuals and businesses against the economic impact of COVID-19 – such as the Coronavirus Job Retention Scheme (CJRS) (widely referred to as the Furlough scheme) and the Self-Employment Income Support Scheme (SEISS).

Coaching, Teaching and Support Work in Lockdown: Safeguarding and Data Protection considerations when working with children online

The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”.  If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed.  In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.

As Lockdown Ends – Updated Guidance on General Meetings During Covid

On 30 March 2021 the provisions of the Corporate Insolvency and Governance Act 2020 (“CIGA”) which allowed purely virtual general meetings will lapse, and the normal rules will apply.  ICSA have produced some useful guidance to assist companies in dealing with their general meetings in the light of this change.

£26 billion fraud: The other side of the Coronavirus Business Interruption Loan Schemes

We have previously examined how the Government’s Coronavirus Business Interruption Loan Schemes (the Bounce Back Loan Scheme (BBLS), Coronavirus Business Interruption Loan Scheme (CBILS) and Coronavirus Large Business Interruption Loan Scheme (CLBILS)(together the “Schemes”) work. A report issued by the Public Accounts Committee on 10 December 2020 highlights the darker side of the Schemes and what it is costing the UK taxpayer. 

Will There be Covid Compensation Claims?

In this blog Terence Donovan discuss legal issues arising from the pandemic when considering compensation claims.

FCA sets expectations for firms to record communications when working from home

FCA focuses on risks associated with unmonitored communications, including the use of unencrypted apps, such as WhatsApp, for sharing potentially sensitive or confidential information when working from home.

Regulation and Uptake of the COVID-19 Vaccine

The government has now approved the supply of the Pfizer-BioNTech COVID-19 vaccine. The reason they have been able to do this so quickly is because they have taken advantage of the temporary authorisation regime laid out by the Human Medicine Regulations of 2012 and 2020. The 2012 Regulations were updated in 2020 specifically to facilitate the smooth rollout of the COVID-19 vaccine. In the public consultation preceding the introduction of these updated regulations, several respondents raised concerns regarding unlicensed vaccines and immunity from civil liability. In practice, very little is known about these regulations and their application. This article seeks to shed some light on the temporary authorisation regime and suggest a means of alleviating concerns in the context of “vaccine hesitancy”.

The question of Christmas: How far can employers go in telling employees where to spend it?

The Government's latest announcement reducing quarantine requirements for travellers returning to England from 14 to 5 days post-15 December 2020 (providing they can provide a negative test result for COVID-19) once again raises questions for employers on what right they have to influence employees' overseas holiday and travel plans over the Christmas period.

Firms brace for negligence impact

Accounting firms should be bracing themselves for a rise in professional negligence claims as a result of the Covid-19 pandemic. 

Justice delayed is justice denied for clients in lockdown limbo

The top five most stressful events in life are commonly regarded as death of a loved one; divorce; major illness or injury; job loss; and moving house (in that order). Some might argue that the Covid-19 pandemic and associated lockdowns should be a new addition to this list. Not only does it make life more stressful but also the first four events more likely.

Parliamentary scrutiny in the time of Coronavirus

As a new nationwide lockdown comes into effect, Stephen Parkinson and Charlie Roe from our Public Law team, consider the often limited role of Parliament in scrutinising restrictive regulations throughout the COVID-19 pandemic.

COVID-19 related insights:

COVID-19 related insights:

Our COVID-19 statement

We recognise that these unique times are presenting unprecedented challenges for our clients and we are here to support you in any way we can.

Click to view

Can you get out of or suspend a contract because of Coronavirus?

Alex Torpey covers the key things to look out for if you are relying on the Force Majeure clause.

Watch the video on LinkedIn

Overcoming the challenges of co-parenting for separated and divorced parents

Rachel Freeman, Partner in our Family Law team, addresses some issues that we are seeing arise for separated parents in the current crisis.

Read the blog

Tech in Two Minutes - Episode 7 - The Coronavirus challenge for tech coworking spaces

Andrew Solomon speaks about the challenge for tech companies and coworking spaces during the current COVID-19 pandemic.

Listen to the podcast

The legal basis for lockdown

Alun Milford, Partner in our Criminal Litigation team, provides an in-depth look at the legal basis behind the current lockdown.

Read the blog

Managing your Migrant workforce in the COVID-19 crisis

On Friday 3 April, immigration partner and head of department, Nick Rollason, hosted a webinar looking at urgent issues employers are facing during the COVID-19 crisis and answered some of the key questions being raised.

Watch the webinar recording

Furlough leave and the Coronavirus Job Retention Scheme: key legal considerations for Employers

On Thursday 9 April, Andreas White, Partner in our Employment Law Team, delivered an overview of the scheme with a focus of the key legal issues for UK employers.

Watch the webinar recording

Coronavirus and the perils of signing your Will

Will instructions have apparently risen by 30% since COVID-19 reached our shores. What effect does COVID-19 have on Will signings? James Ward and Diva Shah in our Private Client team blog.

Read the blog

The juggling act of a single mother, home school teacher and head of a family team

Charlotte Bradley, Head of our Family Law Team, reflects on how the COVID-19 crisis has affected working parents like her.

Read the blog

The future public inquiry into COVID-19

Calls for a public inquiry are continuing to mount and are likely to prove difficult to resist. In this blog, Sophie Kemp considers the framework for such inquiries, and the key issues likely to form the core of its terms of reference.

Read the blog

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Skip to content Home About Us Insights Services Contact Accessibility