Lawmakers express concern about contact tracing oversight

The Parliamentary Human Rights Committee, which is formed of both MPs and Lords, interrogated Gould and Denham on the privacy implications of the app during an oral evidence session, held remotely.

In the context of the coronavirus pandemic, contact tracing involves tracking down anybody who has been in contact with a person testing positive for  Covid-19 and asking them to take precautionary action (such as getting tested themselves or entering strict self-isolation). The government intends to roll out a contact-tracing app which uses Bluetooth handshakes to keep a record of social contact in an effort to minimise the transmission of Covid-19, alongside manual contact tracing and other measures.

Unlike most other European countries, the UK has elected for a centralised model in which data is stored and operations are performed on a central server, rather than on individuals’ phones. Academics and campaigners have raised concerns that this model could severely compromise privacy such as by allowing for a “social graph” of interactions to be constructed, as well as for the potential of “mission creep” (e.g. assigning individuals with risk scores on the basis of their behaviour).

In response to these concerns, the German government recently switched from pursuing a centralised model to a decentralised model for its contact-tracing app.

In this session with the UK government, the Human Rights Committee focused its questioning on the privacy implications of the centralised contact-tracing app being prepared for a trial on the Isle of Wight by NHSX.

Gould acknowledged the importance of winning public trust on the issue of privacy, commenting: “If we’re going to get the level of engagement that we need from the public, we’re going to need to win their trust and that means dealing with [privacy issues].”

The current model requires users to disclose the first half of their postcode, which Gould says will help the NHS identify areas in which Covid-19 hotspots may be appearing and prepare local hospitals and other services. Gould said that this is a “broad brush” approach which does not provide anywhere near enough information for users to be identified. However, the app is expected to evolve after being rolled out and users may be asked if they are willing to share more personal information.

Gould said that data may be legally retained “for research in the public interest”. He confirmed that data subjects would not be able to request that their data is deleted once it is uploaded to the central server, as once it is “enmeshed” with other data it would be a difficult to isolate and delete. While there is no explicit legal guarantee that the data will eventually be fully anonymised or deleted, he said that NHSX has made a commitment to do so.

Questioned on NHSX’s decision to choose the centralised model shunned by most other public health agencies, Gould said that their decision was based on the need to balance privacy concerns with the need for public health authorities to reap more insights from app users. He did not explicitly rule out the possibility of switching to a decentralised model, which UCL digital rights expert Mike Veale (who testified before Gould) indicated would probably not involve a debilitatingly vast technical effort.

“I want to provide some reassurance that just because we’ve started down one route doesn’t mean we’re locked into it,” Gould said.

Questioned on who would have access to the data, Gould said: “I can’t give you a definitive list of exactly who would have access to the data, but I can say we will have proper procedures in place consistent with the law, which will make sure that only those with an appropriate health or public health reason for seeing the data do so, and see it under very clear conditions and criteria.”

Several members of the committee questioned the Information Commissioner about whether her office could act as a fully independent watchdog regarding the potential privacy risks posed by the app, given her involvement in its development. NHSX and the ICO have been working together on the app from an early stage.

“You’re quite deep into it, even though you’re not sitting at the table. How can you both be sharing the design and also be independently enforcing it afterwards?” asked Harriet Harman, who chairs the committee. “It sounds to me that it needs to be a separate person who has not been involved with shaping the design.”

The Liberal Democrat Peer, Baroness Ludford, questioned Denham on why she did not take a more critical stance against the work done by NHSX so far, given that she had recently published a document recommending that the starting point for a contact-tracing app should be decentralisation.

“You said that there’s no one best approach [regarding centralisation vs. decentralisation] but your knowledge of the situation in the development of the app led you personally, and the ICO, to recommend a decentralised system - are you more friend or more critic?” asked Ludford. “You are the regulator and it’s slightly worrying that you said you prefer a decentralised system, but [now] you sound a bit neutral between centralised and decentralised, which is slightly confusing.”

The ICO has not “signed off or approved” anything relating to the app, Denham said, describing the ICO as a “critical friend”. Questioned about the possible need for a fully independent regulator, she said that the government did not have time to establish a second regulator for the task during this crisis.

With regards to the potential privacy intrusions associated with the app, Denham commented that data protection law “was designed to flex in a time of emergency”. She said that current data protection law has strong enough principles and provisions to cover challenging issues, such as the use of anonymous contact-tracing data for research.