‘Failed mishmash’ of privacy protections insufficient for NHS app users

The UK government hopes that digital contact tracing, accompanied by other measures, will play an important part in enabling lockdown measures to be relaxed. Contact-tracing apps use Bluetooth to detect other app users in close proximity; when an app user registers themselves as Covid-19 positive, their contacts receive an alert informing them that they may have been exposed to the virus and should take certain actions, such as entering self-isolation or requesting a test.

NHSX, the NHS’ digital innovation arm, is trialling its Covid-19 contact-tracing app on the Isle of Wight, with a view to rolling it out nationwide some time in the next few weeks.

The NHS app is unusual for using a centralised model, in which the data is captured, stored and processed on a central server rather than on users’ devices. This approach has attracted criticism from academics, MPs and privacy activists. Other European countries, including Germany and Ireland, have pursued a decentralised model of digital contact tracing, backed by Apple and Google who together developed an API supporting privacy-focused contact tracing. NHSX has argued that the centralised model will allow for valuable insights into the spread of the virus, such as detecting hotspots as they emerge.

Concerns about the NHS app include uncertainties about who will have access to the data; the possibility of a 'social graph' of interactions being constructed, and the risk of unjustified 'mission creep' - for instance, assigning risk scores to individuals on the basis of their behaviour.

The Joint Committee on Human Rights has been investigating the privacy implications of the NHS app. It has concluded that specific protections are necessary to ensure that the personal data of app users is protected.

Speaking during a virtual press conference, committee chair Harriet Harman said that even before the coronavirus pandemic the committee took the view that data protections in the UK may not be sufficient. These concerns are all the more salient now.

“This is a wholly new area of data collection and therefore we need not the failed mishmash of protections that currently exists; we need a new bespoke bill,” Harman said.

“Currently, the protection is spread between the GDPR; the Data Protection Act 2018; case law on privacy, and the European Convention on Human Rights. It’s a tangle of law which never envisaged the sort of contact-tracing app that is now about to be brought in. A bespoke law that goes alongside this new app is exactly what is needed.”

Matthew Gould, NHSX CEO, had told the committee that data subjects would not be able to request that their data be deleted once it had been uploaded to the central server (because it would have become too "enmeshed in wider data", was Gould's explanation) and that data may be legally retained for research.

While there is no explicit legal guarantee that the data will eventually be fully anonymised or deleted, Gould said that NHSX was committed to doing so. The Health Secretary Matt Hancock has offered similar assurances in response to the committee submitting a draft bill (the Contact Tracing (Data Protection) Bill 2020), which lays out mechanisms to protect data collected by the app, such as the legal requirement to delete the data after the pandemic and the establishment of an independent 'Privacy Tzar' to focus on the app.

Harman has expressed the view that these verbal and written assurances are unsatisfactory: “[Hancock]’s given that assurance, but actually a letter does not provide any protection, even a letter from Matt Hancock. A bill does: it needs to be in law.

“I just don’t think assurances, however well-motivated and genuinely given, cut the mustard. A minister’s letter is not legal protection. It’s not a framework within which public agencies work – public agencies work within a framework of law, of legal duties and obligations. When [Hancock] says we’ll make clear that it will be used to help understand and manage the pandemic, he’s simply saying, trust us, we’ll make it clear that that’s what it will be used for.”

Harman also expressed concern that the Information Commissioner’s Office is “bordering on a conflict of interest” to be involved with the app as both an adviser and an enforcer.

“If you’ve been advising - which the Information Commissioner has been - about the setup of the system, then you kind of are vested in it and you need a clean pair of eyes to actually look at it, rather than have one of the advisers enforcing protections for any breach,” she said.

Harman is seeking permission from the leader of the House of Commons, Jacob Rees-Mogg, to introduce the Contact Tracing (Data Protection) Bill 2020 as a private members’ bill. She acknowledged that despite the committee's view that the app should not go ahead in this form and without adequate privacy protections, she would personally download the app.

This week, a team of security researchers have published a report laying out wide-ranging security flaws in the current version of the NHS app and argued that a fundamental redesign (shifting to a decentralised model) may be required. The National Cyber Security Centre has said that it is in the process of addressing these security flaws.

Meanwhile, outsourcing company Serco has apologised after accidentally sharing almost 300 email addresses of people recently recruited to the public contact-tracing programme. This was caused by the email addresses being included in the cc: section of an email instead of the bcc: section, making them visible to all recipients.