‘NHS COVID-19’ app: are privacy concerns justified?

The Government’s National Cyber Security Centre (NCSC) published a blog this week on the new NHS COVID-19 app, explaining that the origins of contact tracing in the UK could be linked back to this country’s response to the Black Death. While the registration in 1348 of two ships in the Dorset town of Weymouth as carrying “the seeds of the terrible pestilence” was undoubtedly an attempt by authorities to understand the spread of a pandemic, it is fair to say that any similarities with the UK’s tech-centric approach to tracking the 2020 coronavirus outbreak end there.

As a beta test version of the COVID-19 app is tentatively rolled out across the Isle of Wight, there has been an explosion in related news coverage, much of which focuses on “privacy and security concerns” around the UK’s chosen approach. This is primarily because the UK is one of a limited number of European countries to have opted for a centralised approach to contact tracing (i.e. a central server holds the data on exactly who came into contact with an infected person). The preferred choice for most countries (and regulators) in Europe has instead been a decentralised model which avoids storing potentially sensitive information on one national database.

While concerns around the possible existence of such a centralised database have been voiced widely, the Government has been clear that - in their view - only a centralised approach can provide the insights that public health professionals require to properly manage the pandemic in the UK, even if the privacy and security risks are inherently higher.

What data is involved, and how is that data used?

At present, it appears that the app will itself only require users to physically input one piece of information: the first half of their postcode. Once the app is up and running, a user’s phone will be assigned a random but unique number, which will act as that user’s identifier. This identifier will be encrypted and then exchanged with other app users when their phones’ Bluetooth signal is detected. These records (so-called “proximity events”) will be stored on a user’s phone for 28 days. If a user develops COVID-19 symptoms, they can then choose to upload their phone’s proximity event data to the national database. The unique identifiers of each device that the user came into contact with will then be recovered (i.e. unencrypted). Any contacts deemed to be high-risk will be notified and asked to self-isolate.

The NCSC openly accepts the theoretical possibility of re-identifying individuals from their unique identifiers, albeit only with access to a significant volume of underlying data. However, the Government is adamant that effective privacy controls are in place to ensure that it is as difficult as possible for anyone with access to NHS systems to link an app user’s identifier to a COVID-19 test, or indeed their NHS records.

What is the regulator saying? 

The UK Information Commissioner has confirmed that her office (the ICO) is involved in advising the Government on the data protection and privacy elements of the app (though will not sign off on any part of it). The ICO has also this week published data privacy recommendations for contact tracing apps. However, the Government’s mandatory data protection impact assessment, which will set out the detailed privacy protections built into the app, has not yet been published. Many questions remain unanswered, and only once the UK Government has published the underlying documentation will the legal thinking behind the privacy impact of the UK’s approach become clearer.