Privacy Breaches? There’s an app for that! – Experts worry NHS’ contact tracing app opens the door to mass surveillance

May 28, 2020

3 min read

Sign up to our mailing list! 👇

What's going on here?

Leading human rights committees claim that the NHS contact tracing app is unlawful and therefore potentially ineffective, arguing that new legislation is necessary to ensure users’ data is not violated.

What does this mean?

The contact tracing app is part of the government’s strategy to ease nationwide lockdown. Currently being piloted on the Isle of Wight, the app utilises Bluetooth to monitor users’ proximity to other users. It can then send alerts to those who have been in contact with someone later diagnosed with COVID-19. 

Problems have arisen when deciding which conflicting approach to use, a centralised or decentralised system. The former uses a central server to create, match and store “identifiers” (known as Installation ID) which are sent and received by infected users’ phones, rather than on the device itself like on a decentralised system. The NHS would be able to use the central server’s data to understand how the virus is spreading. But as “identifiers” are unique and stored on a central server, the app is not anonymous under the EU’s General Data Protection Regulation 2016.

An Oxford University report found that 60% of the overall population would need to download the app to suppress the pandemic. If users don’t believe their data is secure, they may not download it.

What's the big picture effect?

Balancing the epidemiological justifications for a centralised system with the peace of mind of a decentralised system is extremely difficult. This is why it has been a divisive issue around the world. 

Germany, Italy and Ireland have chosen to utilise Apple-Google’s Application Programming Interface (API). This facilitates the exchange of data between computer applications, like a waiter in a restaurant who takes your order (request) to the kitchen (Apple-Google’s systems) and then brings back what you ordered. The API addresses numerous technological problems, including different types of smartphones not being able to communicate, the app failing to work when a device is locked and battery drainage problems.

The impasse for France and the UK (with the Isle of Wight trial not utilising the API), is that it only supports apps working on decentralised systems. This means data collection – which CEO of NHSX (NHS’ digital innovation arm), Matthew Gould, explains as being an impetus for the app’s creation – is not possible.

A legal opinion recently published by various legal experts (under the instruction of Open Society Foundation) found that a centralised system (unlike a decentralised system) is likely non-compliant with human rights and data protection laws, specifically the right to respect for private life (Article 8 of the European Convention on Human Rights). 

Furthermore, the Joint Committee on Human Rights (made up of members of the House of Commons and House of Lords) said in a report this month that although a contact tracing app is important, it does not supersede proportionality. Consequently, the committee has called for legislation, to provide clarity as to how the collected data would be used, stored and disposed of.

Perhaps due to this pressure, NHSX has recently provided £3.8m funding to Zuhlke Engineering to develop a second app utilising the Apple-Google API. The two apps will soon be presented to the government to decide which gains national rollout.

Allowing the government to track and store our every move would have been inconceivable before the pandemic, but is now quite possibly on the horizon, and with good reason. But if the government is to adopt the inherently more risky centralised system, should it not enshrine MP’s promises to protect the public’s privacy by enacting legislation?

Report written by Keir Galloway Throssell

If you’d like to write for LittleLaw, click here!

Share this now!

Check out our recent reports!