COVID-19 and contact tracing apps: A test of public confidence in data privacy?

24 April 2020

Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.

Public concerns about privacy may be a significant barrier to this technology assisting in the containment of the virus. One of the most significant challenges for the Government, and the bodies advising it, will be ensuring that the public have confidence in the data protection measures underpinning the app.

How contact tracing apps work

The goal of contact tracing is to identify who is infected or potentially infected and determine who they have come into contact with by analysing their movements. It is then possible to alert those people that they need to self-isolate, get tested and watch for symptoms.

Since approximately 80% [1] of the UK population are smartphone users, an app is the quickest and most comprehensive method to gather the data needed and communicate with individuals at risk. An in-app questionnaire could be developed to determine if the user had potentially caught Covid-19. The app would use Bluetooth technology to track those who had been in contact with the individual to the extent that it would put them at risk (for example, if contact was less than two-metre distance for longer than 15 minutes). An alert would then be sent to those who then needed to self-isolate.

The NHSX (the digital innovation unit of the health service), with the advice of academics, epidemiologists, and ethicists from Oxford University, have been developing this software for the UK. Combined with other measures, experts believe that contact tracing software will be critical in controlling the spread of the virus as well as preventing a resurgence of infection once government social restrictions are eventually lifted.

Success or failure depends on take up

An initial, and significant, issue is whether a sufficient number of individuals will download the app. The UK Government has confirmed that at least 60% of the population need to download the app for it to fulfil its purpose. [2] The release of Singapore’s “TraceTogether” app on 20 March highlights this concern. Only 12% of the population installed the app after its release, leading to a resurgence of new coronavirus cases after lockdown restrictions were eased in April. Even now, only 20% of Singapore’s population are signed up. [3]

There are many reasons for such reticence and concerns with respect to privacy, and they should not be discounted. Those that champion contact tracing apps as the answer to strict lockdowns often look to the success of South Korea, a country where the Government controversially used “surveillance footage and credit card transactions” to trace the movements of its citizens. [4]

This raises the question of whether contact tracing apps should be compulsory. In Poland, another country with experience of successful contact tracing, it is mandatory for all individuals infected with the Covid-19 to download the app. [5] However, especially given guidance from the European Commission that apps should remain voluntary, it is unlikely that the UK Government would take such a significant step.

Careful consideration of privacy concerns

The UK Information Commissioner has clearly stated that data protection legislation does not get in the way of innovative use of data in a public health emergency – as long as the core GDPR principles of transparency, fairness and proportionality are applied. [6]

However, there are significant questions about the mass collection of health data which require answers: What type of personal information would be collected? How long would it be stored for? What will this data be used for? How secure will this data be?

In addition, at what point will the health data collected be aggregated to the extent that individuals can no longer be identified? Such anonymised data falls outside data protection legislation. Anonymisation is a fiendishly complex issue given that identification of individuals from a number of disparate data points will always be a highly fact-specific question of degree and distribution of that data.

With respect to personal data, the European Commission recently published an online toolbox [7] to assist EU member states developing contact tracing apps. The toolbox outlines “prerequisites” for the development of such apps based on GDPR principles, including:

  • National health authorities will need to have clearly established accountability for compliance with the GDPR, although the national data protection authorities should be fully involved and consulted.
  • Users must remain in full control of their personal data. Installation of the app should be voluntary and a user should be able to give their consent to each functionality of an app separately. If proximity data is used, it should be stored on an individual's device and only shared with the user's consent.
  • Only personal data that is relevant and limited to the purpose in question can be processed. The Commission considers location data not necessary for the purpose of contact tracing and so should not be used.
  • Timelines for retaining the data should be based on medical relevance as well as the realistic duration for necessary administrative steps to be taken.
  • Data should be stored on an individual's device and encrypted.
  • Users must be able to exercise the full range of rights under the GDPR.

Public confidence in data protection in the UK?  

The success of any contact tracing app in the UK will depend upon allaying inevitable public concern over loss of privacy and data security. Experts warn that any app that does not protect the personal data of users will fail as the public will simply refuse to download and use it. [8]

As recommended by the European Commission, the UK Information Commissioner’s Office, has supported NHSX with both the development of the app and, even more critically, the de-commissioning of the project. As stated by the Information Commissioner:

“Put simply, we will want to see evidence that COVID-19 initiatives do what they intend to do –  that they work in practice, that they are proportionate, that people can access their rights in law, and that there is a plan in place to stand down measures when no longer needed.” [9]

The Information Commissioner has a track record as a robust regulator unafraid to take on big issues. With the support of the pragmatic guidance of the European Commission, the oversight of the project by the Information Commissioner should provide some measure of reassurance to those with privacy concerns.

In the words of European Data Protection Supervisor, Wojciech Wiewiorowski, “big data means big responsibility.” Matt Hancock, the Secretary of State responsible for the implementation of the GDPR in the UK, will no doubt understand the importance of compliance with data protection legislation when introducing centralised, large-scale, data-aggregating software of this type. 

As the Government will be acutely aware, the stakes are high and this is a project worth getting right.


Further information

Should you have any questions about any of the issues covered in this blog, please contact Emily Carter, Sameera Abdulrehman, or a member of our Public Law team.


About the authors

Emily Carter is a Partner in our Public Law team with expertise in public inquiries, major inquests, judicial reviews and internal investigations.

Sameera is a paralegal in the Public Law team who has assisted partners and associates in the Public, Criminal, and Regulatory teams on high profile public inquests and inquiries such as the Independent Inquiry into Child Sexual Abuse, Scottish Child Abuse Inquiry, and regulatory work involving the FCA.



Latest blogs & news

The Terms of Reference for the Scottish Covid-19 Inquiry

As we await the publication of the terms of reference for the UK wide Covid-19 Inquiry, in this blog I consider the key features of the recently published terms of reference for the Scottish Inquiry into the Covid-19 pandemic.

The Covid-19 Inquiry – the importance of the terms of reference

Any day now the Covid-19 Inquiry will publish draft terms of reference. This will be a significant event.  Once agreed, the terms of reference will determine the scope and length of the inquiry which is due to begin its work in the Spring.  In turn this will have a direct impact on how valuable the inquiry turns out to be.  

The right to equality in fertility treatment

A same-sex couple have commenced a significant test case against a branch of the NHS fertility sector for discrimination against them on grounds of their sexuality. 

Court considers that intransigent public inquiry witnesses will often give evidence once they have been compelled to attend

In a 16 November 2021 blog, I described how refusing to give evidence to a public inquiry might play out. Another new case, Chairman of the Manchester Arena Inquiry v Romdhan [2021] EWHC 3274 (Admin), reinforces my view. Potential witnesses in next year’s coronavirus (Covid-19) inquiry take note.


Essential Planning for the COVID Inquiry - Sophie Kemp provides insight for the Carer

Given a judge-led inquiry into how the Scottish Government handled the COVID pandemic will start before the end of this year, many are anxiously awaiting news of the Government’s promised UK- wide public inquiry.

Back in May 2021, No 10 committed to that inquiry starting in Spring 2022. Yet months on, details are scant. Who will Chair it? What are its terms of reference? Yes, there may be six months to go, but vital questions remain before any inquiry of this national significance and stature begins.

Mandatory Covid-19 Vaccinations for Care Home Workers

This week, the Government announced that Covid-19 vaccinations will be made compulsory for care home staff, raising strong emotions on both sides of the argument.

Coaching, Teaching and Support Work in Lockdown: Safeguarding and Data Protection considerations when working with children online

The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”.  If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed.  In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.

Regulation and Uptake of the COVID-19 Vaccine

The government has now approved the supply of the Pfizer-BioNTech COVID-19 vaccine. The reason they have been able to do this so quickly is because they have taken advantage of the temporary authorisation regime laid out by the Human Medicine Regulations of 2012 and 2020. The 2012 Regulations were updated in 2020 specifically to facilitate the smooth rollout of the COVID-19 vaccine. In the public consultation preceding the introduction of these updated regulations, several respondents raised concerns regarding unlicensed vaccines and immunity from civil liability. In practice, very little is known about these regulations and their application. This article seeks to shed some light on the temporary authorisation regime and suggest a means of alleviating concerns in the context of “vaccine hesitancy”.

Parliamentary scrutiny in the time of Coronavirus

As a new nationwide lockdown comes into effect, Stephen Parkinson and Charlie Roe from our Public Law team, consider the often limited role of Parliament in scrutinising restrictive regulations throughout the COVID-19 pandemic.

The inquest process during COVID-19 restrictions

Inquest proceedings, like other legal proceedings in the UK, have been significantly affected by social distancing restrictions and advice arising from the COVID-19 crisis. This blog looks briefly at the impact of the Coronavirus Act 2020 on proceedings, and examines the Chief Coroner’s guidance notes to coroners working during the crisis.

The future public inquiry into COVID-19

The devastation wrought by COVID-19 has led to profound questions about the UK government’s response to the pandemic. Calls for a public inquiry are continuing to mount and are likely to prove difficult to resist. This blog considers the framework for such inquiries, and the key issues likely to form the core of its terms of reference.

COVID-19 and contact tracing apps: A test of public confidence in data privacy?

Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.

COVID-19 related insights:

COVID-19 related insights:

Our COVID-19 statement

We recognise that these unique times are presenting unprecedented challenges for our clients and we are here to support you in any way we can.

Click to view

Can you get out of or suspend a contract because of Coronavirus?

Alex Torpey covers the key things to look out for if you are relying on the Force Majeure clause.

Watch the video on LinkedIn

Overcoming the challenges of co-parenting for separated and divorced parents

Rachel Freeman, Partner in our Family Law team, addresses some issues that we are seeing arise for separated parents in the current crisis.

Read the blog

Tech in Two Minutes - Episode 7 - The Coronavirus challenge for tech coworking spaces

Andrew Solomon speaks about the challenge for tech companies and coworking spaces during the current COVID-19 pandemic.

Listen to the podcast

The legal basis for lockdown

Alun Milford, Partner in our Criminal Litigation team, provides an in-depth look at the legal basis behind the current lockdown.

Read the blog

Managing your Migrant workforce in the COVID-19 crisis

On Friday 3 April, immigration partner and head of department, Nick Rollason, hosted a webinar looking at urgent issues employers are facing during the COVID-19 crisis and answered some of the key questions being raised.

Watch the webinar recording

Furlough leave and the Coronavirus Job Retention Scheme: key legal considerations for Employers

On Thursday 9 April, Andreas White, Partner in our Employment Law Team, delivered an overview of the scheme with a focus of the key legal issues for UK employers.

Watch the webinar recording

Coronavirus and the perils of signing your Will

Will instructions have apparently risen by 30% since COVID-19 reached our shores. What effect does COVID-19 have on Will signings? James Ward and Diva Shah in our Private Client team blog.

Read the blog

The juggling act of a single mother, home school teacher and head of a family team

Charlotte Bradley, Head of our Family Law Team, reflects on how the COVID-19 crisis has affected working parents like her.

Read the blog

The future public inquiry into COVID-19

Calls for a public inquiry are continuing to mount and are likely to prove difficult to resist. In this blog, Sophie Kemp considers the framework for such inquiries, and the key issues likely to form the core of its terms of reference.

Read the blog

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

Skip to content Home About Us Insights Services Contact Accessibility