The idea that the majority of the population should voluntarily install an app onto their smartphone that potentially gives the government access to personal information about their health, is one that would have been met with incredulity only a few months ago. But that is exactly what we will be expected to do, if plans for the NHS app to allow for digital contact tracing materialise. What are people letting themselves in for?
Once installed on a smartphone, a digital contact tracing app registers and stores details of another smartphone when it comes within a certain distance for a certain amount of time. If the other user has configured the app to show that they have the symptoms of COVID-19, then that fact will be transmitted to inform the other users.
There are generally two types of app that can perform this function. The first is a ‘decentralised’ app, which essentially limits the transfer of information between phones without the requirement for any central involvement. A ‘centralised’ app requires the information to be sent to an NHS-controlled server where it’s stored in a database. In general terms, it is accepted that the decentralised system contains fewer opportunities for the processing and potential use of personal information protected by the Data Protection Act (DPA) 2018. As things stand, the government is intending to use a centralised system, which is what will be addressed here.
The information generated will include things like the first half of a person’s postcode, which might enable their identity to be discovered when matched up with other information. Thus, the information is not strictly anonymous, but described as pseudonymous, which means that a person could be identified if further information were added to that already held.
There are similar safeguards for the protection of personal data under both the DPA 2018 and article 8 of the European Convention on Human Rights
, which cannot be considered in depth here. Processing of personal information under the DPA 2018 must be fair and lawful, with the concept of a reasonable expectation of privacy at the heart of the test. Under article 8(1), both retention and use of information can engage the right to respect for ‘private life’, and any interference with the right must be proportionate and for a legitimate aim (‘protection of health’ is included) for the purposes of article 8(2).
The main concerns
Efficacy and scope
The Joint Committee on Human Rights (JCHR) heard expert evidence in May 2020 and was not convinced about the efficacy and the benefits of the app as currently described to it.2‘Report on the contact tracing app published’, JCHR news article, 7 May 2020.
If the app does not work well, the collection of data is more likely not to be proportionate or fair for the purposes of satisfying the DPA 2018 or article 8. Concerns include the likelihood of take-up, the ease with which the app could be used malevolently and the ability to identify an infected person in a small group.
If the NHS is permitted to retain the information for wide public health purposes (as it proposes), additions to the information in the future (through opt-in or otherwise) – for example, in relation to another research project – may lead to the increased possibility of identification of individuals. The solution to this might be to limit use, either temporally or to purposes linked directly to the pandemic.
Lack of oversight
Reports that, in China, coronavirus apps may be turned into ‘permanent’ health trackers,4See, for example, Helen Davidson, ‘Chinese city plans to turn coronavirus app into permanent health tracker’, Guardian, 26 May 2020.
presage exactly the fears of the JCHR and others that, whatever the benefits of the NHS app (as yet unproven), its implementation, without the most rigorous human rights safeguards, risks the UK taking the next step towards the surveillance society.