COVID-19 and contact tracing apps: A test of public confidence in data privacy?
Contact tracing apps are intrusive by nature, given that they are designed to detect and record when you are close to other app users via Bluetooth signal exchanges and later alert you if any of those users has reported developing coronavirus symptoms. Users who have developed coronavirus must self-isolate and can use the app to obtain coronavirus tests, and those who have recently come into close contact with users displaying symptoms must also self-isolate and, if they develop symptoms, report them via the app.
A contentious issue is whether contact tracing apps should operate based on a ‘centralised’ or ‘decentralised’ model with different approaches being adopted by national governments. The distinction is essentially a matter of privacy, namely are you happy for data about where you have been and who you have been in touch with to be stored on a central repository (the centralised model) or do you want that data to only be analysed locally on your smartphone, so that it is not collated in a third party database (the decentralised model)? In either case, the GDPR requires ‘data protection by design and by default’ which means app developers must put in place appropriate technical and organisational measures to implement the data protection principles and protect individual rights e.g. through the anonymisation or pseudonymisation of data. The NHSX has stated that its app will “not collect personally identifiable data from users” (such as names and full addresses) and that “users will always remain anonymous” (given the use of numerical identifiers for each user). However, the structure of the centralised model currently favoured by the NHSX for its app raises concerns that the anonymous data collected by the NHS could still be used to identify specific individuals.
As the time of writing, the NHSX app is based on the centralised model, so that the public health authorities can use anonymous data to identify virus hotspots and understand how the disease is spreading.
This is achieved after an ill user anonymously reports their symptoms to the NHS via the app, prompting the app to provide the NHS with anonymous data about all other app users with whom the ill user has recently come into close contact (including the proximity and duration of such contact). Each user who has recently come into close contact with the ill user will also be alerted via the app.
Despite reassurances from the NHSX that “the data will only ever be used for NHS care, management, evaluation and research” sceptics argue that a centralised system would allow that data to be combined with location data, clinical data and other information to be used for unrelated surveillance purposes after the pandemic. In addition, a large central repository of data is, of course, subject to hacking and the NHS does not have a particularly good recent track record in respect of cybersecurity.
It is important to bear in mind that data processing has to be fair, lawful and transparent in order to be justified under the GDPR. This means that clear information must be provided to app users about what data is collected and how it is used before they download the app. Further, the purpose limitation principle of the GDPR requires that data is not used in unexpected ways. With these points in mind, uses of data by the NHS that adversely impact the rights of individuals are likely to be challenged.
Another point to note is that centralised apps exchange Bluetooth contact signals in the ‘foreground’ of the smartphone which, depending on the smartphone’s operating system, could mean that it must be unlocked at all times with the screen switched on. Data stored on the smartphone will therefore be less secure, given that smartphones are particularly vulnerable to hacking via Bluetooth. In addition, use of a centralised app seems highly likely to rapidly drain the battery life of a smartphone, thereby decreasing the likelihood of the public using the app and undermining its usefulness.
Apple and Google have developed APIs and operating technology to enable contact tracing based on a decentralised system, whereby smartphones exchange Bluetooth contact signals in the background, even when the smartphone is locked.
Privacy prevails in the decentralised model where, in short, the user anonymously reports their coronavirus symptoms to the public health authority via the app, which will (locally on each user’s device) alert other users who have recently come into close contact with the symptomatic user.
If the NHSX adopts a decentralised system it would receive far less data than it would via the centralised system as, whilst it would know the anonymous identifier of the smartphone that has reported symptoms, it would not know which users that person has come into contact with, as that data stays on the smartphones. However, whilst maintaining increased levels of privacy, the decentralised model arguably makes it more difficult for the NHS to monitor the spread of the disease and protect the health of the public.
The NHSX is continuing to test and develop its contact tracing app, however recent media reports have suggested that the continuing delays of its full release are because the NHSX have taken on board privacy concerns and have switched to developing the app on the basis of the decentralised model. This seems prudent given that adopting a centralised app model would leave the UK as an outlier in comparison to the approach taken by other nations, as the majority of countries which have released contact tracing apps are using the decentralised model. Many of those countries have, to date, had far greater success in preventing the spread of coronavirus than the UK e.g. Germany and Australia.
The UK’s strategy to reduce the spread of coronavirus has often initially been at odds with successful approaches taken by other nations, evidenced most clearly by our delay to enter into lockdown. Sadly, it feels that the approach with our contact tracing app is yet another example of the UK failing to quickly to adopt successful approaches used abroad, resulting in unnecessary delays to essential tools in the response to the pandemic.
Alex Torpey is an Associate in the corporate and commercial department. Alex advises technology, startup and established companies as well as entrepreneurs on a variety of legal issues for commercial contracts including data protection compliance, licensing and ownership of intellectual property rights, confidentiality and liability.
On 16 March 2020 Number 10 advised those living in the UK against “non-essential travel” in order to curb the growing outbreak of Coronavirus. This encouraged many office-based businesses to communicate to their employees that they should work from home until further notice.
In March 2021 the Chancellor announced the establishment of a taskforce to investigate those who may have fraudulently made use of government schemes set up to protect individuals and businesses against the economic impact of COVID-19 – such as the Coronavirus Job Retention Scheme (CJRS) (widely referred to as the Furlough scheme), the Self-Employment Income Support Scheme (SEISS) and the ‘Eat Out to Help Out’ Scheme.
This week, the Government announced that Covid-19 vaccinations will be made compulsory for care home staff, raising strong emotions on both sides of the argument.
The devastating economic impact of the COVID-19 pandemic has led to unprecedented levels of government support aimed at keeping jobs intact and businesses afloat. Although the news is beginning to promise a path out of lockdown and a gradual return to some degree of normality, equally as prominent are reports of fraudulent abuse of the COVID-19 support schemes and the government’s planned response.
In late February 2021 a news article reported that a care home worker had been arrested on suspicion of gross negligence manslaughter after a patient died of COVID-19. In late March 2021, two further care home workers were arrested on suspicion of wilful neglect. We look at how those working in care homes can potentially face criminal liability in respect of COVID-19 cases.
In the Budget 2021, presented to Parliament on 3 March, the Chancellor announced that HMRC will establish a taskforce to investigate those who have fraudulently made use of government schemes set up to protect individuals and businesses against the economic impact of COVID-19 – such as the Coronavirus Job Retention Scheme (CJRS) (widely referred to as the Furlough scheme) and the Self-Employment Income Support Scheme (SEISS).
The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”. If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed. In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.
On 30 March 2021 the provisions of the Corporate Insolvency and Governance Act 2020 (“CIGA”) which allowed purely virtual general meetings will lapse, and the normal rules will apply. ICSA have produced some useful guidance to assist companies in dealing with their general meetings in the light of this change.
We have previously examined how the Government’s Coronavirus Business Interruption Loan Schemes (the Bounce Back Loan Scheme (BBLS), Coronavirus Business Interruption Loan Scheme (CBILS) and Coronavirus Large Business Interruption Loan Scheme (CLBILS)(together the “Schemes”) work. A report issued by the Public Accounts Committee on 10 December 2020 highlights the darker side of the Schemes and what it is costing the UK taxpayer.
In this blog Terence Donovan discuss legal issues arising from the pandemic when considering compensation claims.
FCA focuses on risks associated with unmonitored communications, including the use of unencrypted apps, such as WhatsApp, for sharing potentially sensitive or confidential information when working from home.
The government has now approved the supply of the Pfizer-BioNTech COVID-19 vaccine. The reason they have been able to do this so quickly is because they have taken advantage of the temporary authorisation regime laid out by the Human Medicine Regulations of 2012 and 2020. The 2012 Regulations were updated in 2020 specifically to facilitate the smooth rollout of the COVID-19 vaccine. In the public consultation preceding the introduction of these updated regulations, several respondents raised concerns regarding unlicensed vaccines and immunity from civil liability. In practice, very little is known about these regulations and their application. This article seeks to shed some light on the temporary authorisation regime and suggest a means of alleviating concerns in the context of “vaccine hesitancy”.
The Government's latest announcement reducing quarantine requirements for travellers returning to England from 14 to 5 days post-15 December 2020 (providing they can provide a negative test result for COVID-19) once again raises questions for employers on what right they have to influence employees' overseas holiday and travel plans over the Christmas period.
Accounting firms should be bracing themselves for a rise in professional negligence claims as a result of the Covid-19 pandemic.
The top five most stressful events in life are commonly regarded as death of a loved one; divorce; major illness or injury; job loss; and moving house (in that order). Some might argue that the Covid-19 pandemic and associated lockdowns should be a new addition to this list. Not only does it make life more stressful but also the first four events more likely.
The current global pandemic has provided and will continue to provide plentiful opportunities for fraud and opportunism.
There has been much mention in the press in recent times about the amount of allegedly incorrect or fraudulent claims made by employers under the Government’s Coronavirus Job Retention Scheme (“CJRS”) (furlough scheme).
The COVID-19 pandemic has highlighted the importance of statutory sick pay (“SSP”) in our society. As other countries around the globe have improved SSP in order to prevent the spread of coronavirus and help workers stay at home, we examine the SSP regime in the UK, the changes the government has made and whether SSP will be increased as we continue to live with the pandemic.
Skip to content Home About Us Insights Services Contact Accessibility