Mass surveillance and the NHS contact tracing app
Marc Bloomfield
The idea that the majority of the population should voluntarily install an app onto their smartphone that potentially gives the government access to personal information about their health, is one that would have been met with incredulity only a few months ago. But that is exactly what we will be expected to do, if plans for the NHS app to allow for digital contact tracing materialise. What are people letting themselves in for?
Once installed on a smartphone, a digital contact tracing app registers and stores details of another smartphone when it comes within a certain distance for a certain amount of time. If the other user has configured the app to show that they have the symptoms of COVID-19, then that fact will be transmitted to inform the other users.
There are generally two types of app that can perform this function. The first is a ‘decentralised’ app, which essentially limits the transfer of information between phones without the requirement for any central involvement. A ‘centralised’ app requires the information to be sent to an NHS-controlled server where it’s stored in a database. In general terms, it is accepted that the decentralised system contains fewer opportunities for the processing and potential use of personal information protected by the Data Protection Act (DPA) 2018. As things stand, the government is intending to use a centralised system, which is what will be addressed here.
Personal data
A very big concern is that the app will provide access to a person’s personal data. Personal data is defined in DPA 2018 s3(2) as ‘any information relating to an identified or identifiable living individual’. The NHS confirmed that the information would be retained for ‘research in the public interest or for use by the NHS for planning and delivering services’,1Joint Committee on Human Rights – oral evidence (virtual proceeding): The government’s response to COVID-19: human rights implications, HC 265, 4 May 2020, page 14. but it appears that there would be few other limits on when and for what purposes the information would be used.
The information generated will include things like the first half of a person’s postcode, which might enable their identity to be discovered when matched up with other information. Thus, the information is not strictly anonymous, but described as pseudonymous, which means that a person could be identified if further information were added to that already held.
The law
There are similar safeguards for the protection of personal data under both the DPA 2018 and article 8 of the European Convention on Human Rights, which cannot be considered in depth here. Processing of personal information under the DPA 2018 must be fair and lawful, with the concept of a reasonable expectation of privacy at the heart of the test. Under article 8(1), both retention and use of information can engage the right to respect for ‘private life’, and any interference with the right must be proportionate and for a legitimate aim (‘protection of health’ is included) for the purposes of article 8(2).
The main concerns
Efficacy and scope
The Joint Committee on Human Rights (JCHR) heard expert evidence in May 2020 and was not convinced about the efficacy and the benefits of the app as currently described to it.2Report on the contact tracing app published’, JCHR news article, 7 May 2020. If the app does not work well, the collection of data is more likely not to be proportionate or fair for the purposes of satisfying the DPA 2018 or article 8. Concerns include the likelihood of take-up, the ease with which the app could be used malevolently and the ability to identify an infected person in a small group.
Function creep
If the NHS is permitted to retain the information for wide public health purposes (as it proposes), additions to the information in the future (through opt-in or otherwise) – for example, in relation to another research project – may lead to the increased possibility of identification of individuals. The solution to this might be to limit use, either temporally or to purposes linked directly to the pandemic.
Lack of oversight
As things presently stand, the use of the app would come under the auspices of the information commissioner. The commissioner has been working closely with the NHS to ensure that privacy and human rights concerns are addressed, and has oversight and enforcement powers under DPA 2018 Sch 12. However, the JCHR’s view (now rejected by the government) is that the ‘mass-surveillance’ envisaged under the app requires primary legislation to introduce it, including the installation of a new watchdog: the digital contact tracing human rights commissioner.3Letter to health and social care secretary Matt Hancock, from JCHR chair Harriet Harman, incorporating the Digital Contact Tracing (Data Protection) Bill, 7 May 2020, clauses 5–8, pages 2–3.
Reports that, in China, coronavirus apps may be turned into ‘permanent’ health trackers,4See, for example, Helen Davidson, ‘Chinese city plans to turn coronavirus app into permanent health tracker’, Guardian, 26 May 2020. presage exactly the fears of the JCHR and others that, whatever the benefits of the NHS app (as yet unproven), its implementation, without the most rigorous human rights safeguards, risks the UK taking the next step towards the surveillance society.

About the author(s)

Description: Stephen Cragg QC - author
Stephen Cragg QC is a barrister at Doughty Street Chambers.