- COVID-19 contact tracing app: Data protection considerations
COVID-19 contact tracing app: Data protection considerations
COVID-19 contact tracing app: Data protection considerations7th May 2020 - Published by Kuits data protection team
This week saw the “test, track and trace” app being piloted in the Isle of Wight. If it is successful, a nationwide programme will be rolled out within the coming weeks, but what does this mean for your data and your privacy?
Here, the Kuits data protection team provides an insight into the privacy and security implications of the NHS contact tracing app, which has recently been developed in a bid to ensure the UK is better placed to monitor and manage the spread of COVID-19.
What is contact tracing?
The World Health Organisation has described the method of contact tracing as “the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission”.
Technological contact tracing inevitably relies upon the collection and storage of an individual’s data, including device identifiers and health information. It is therefore important that technological contact tracing preserves an individual’s privacy and complies with applicable data protection laws.
Data Protection considerations for the Contact Tracing App (CTA):
What technology and security protocols have been adopted?
- CTA has opted to use Bluetooth low energy as the technological solution to tracking, rather than GPS signals. Why? Well, GPS data is geolocation data, which users may be more reluctant to share, whereas Bluetooth is able to track devices in any given area without specifically identifying the exact location of individuals.
- In addition to this, the Bluetooth CTA can accurately estimate the distance between individuals by analysing their Bluetooth signal strength, whereas location data is less likely to provide an accurate picture.
- Whilst the government has assured the public that the app is secure, further details in respect of specific security measures have been promised in the coming days/weeks.
How has the data been encrypted? What categories of data are collected?
- When you download and run the CTA, your phone is assigned a randomised number sequence. This will act as your fixed anonymous identity (FAI).
- The CTA will also ask for your postcode district, which it has been reported will be used primarily for NHS resource planning.
- Your device encrypts your FAI on a daily basis in such a way that only the NHS server can recover it.
Who will have access to the data collected? What can the data be used for by these parties?
- Only your device and the NHS server should have access to your FAI and postcode district.
- If, however, you develop symptoms and submit a notification of such symptoms via the CTA then, with your permission, the CTA will upload the anonymous record of your proximity events to the NHS server. For each encrypted FAI recorded, the NHS server can recover the FAI for each device you were near.
- From this, the NHS server uses the recovered FAI data to work out the encounters that are high risk from a transmission point of view. The NHS server then generates a list of FAIs that have been in high risk proximity events with your device.
- It is not yet clear whether the government intends to share this data with any other third parties for research purposes (if it were to do so, this would need to be made very clear to individuals at the outset of their use of the CTA).
How long will the data be retained for?
- If you do not develop symptoms and no notifications are made via the CTA, each record of encounter is deleted after 28 days. However, the government has not yet clarified how long data will be retained if symptoms do develop or notifications are made.
Will the data be stored on the user’s smartphone or centrally?
- Your device, through the CTA, will advertise a contact service over Bluetooth. When another app user comes into close enough proximity to you for your Bluetooth to recognise their device (recorded by the strength of the Bluetooth signal connection), the devices connect to each other’s contact service and exchange a package containing their encrypted FAI.
- Every time this happens, the record is securely stored on your device.
- However, if you report symptoms via the CTA or a person with whom you have been in contact reports symptoms, then both records, the records of any person who has had contact with the affected individual, the records of those people’s contacts and so on will be sent to the government and stored centrally.
- This differs from the contact tracing models used by other countries (and the Application Programming Interface being designed by Apple and Google) which hold all information on your device only, and is a less privacy intrusive approach.
What is the legal basis for processing the personal data?
- The UK Information Commissioner’s Office and European Data Protection Board’s guidance has stated that collecting proximity data and the storing of, or accessing, other information on a user’s device is allowed only if the user has given prior consent pursuant to the ePrivacy Directive, save for those activities which are ‘strictly necessary’ for the app to be installed and activated by the user or for the app to provide the contact tracing service specifically requested by it, which do not require consent.
- Consent must meet the standard set by the GDPR, that is that an individual’s consent is informed, freely given for a specific purpose, and demonstrated through some affirmative action (for example, electronically ticking a box). This means that where the CTA provides functionality other than that strictly necessary to provide the contact tracing service, specific consent to that functionality will be required.
- In addition to such consent, the processing of personal data via the CTA requires a valid lawful basis under the GDPR such as it being necessary for a legitimate interest and, for health data, explicit consent or it being necessary for reasons of public interest in the area of public health or otherwise to protect the public.
- Data collected through CTA can only be used for the specific purpose of managing the COVID-19 health crisis. It must not be used for any further or unrelated purpose (which would include sharing your account with family or friends) unless the user has provided explicit consent to this.
- Given the sensitive nature and large scale processing of personal data with the CTA, a data protection impact assessment should be carried out to assess and document the data protection considerations. Whilst this has not yet been published, we are monitoring the situation on a daily basis and will provide further updates as and when appropriate.
Will users be required to use the app or will it be voluntary? What happens in the case of children?
- It is not yet known whether use of the CTA will be mandatory or voluntary. If it is mandatory, there would need to be a clear and detailed legislated legal basis for this. We consider this unlikely at this stage, due to privacy concerns and the number of citizens who do not own a smartphone.
- It has not yet been reported whether children will be able to access the app, or how their data will be treated if they are. However, the message has been reinforced that the CTA is only part of an overall contact-tracing system and it will never be the case that children are excluded from contact tracing or testing if they develop compatible symptoms.
- If children (which would be any person under the age of 18) are able to download the app, we would expect there to be a requirement for parental consent and the developers would need to think carefully about how this would be obtained and validated via the app.
To read more about the functionality of the app, click HERE.
Predicted success of CTA and data protection issues
- CTA’s success depends not only on satisfying the UK’s primary medical needs, whilst ensuring people’s data and privacy is not compromised, but also on it being widely adopted across the nation if it is to be successful in achieving its goal.
- Academic advisers of the NHS estimate that 60% of the UK’s population are smartphone users, and of this 60%, 80% would have to actively use the CTA for it to be effective. To be effective, the public need to have confidence that the government are being fully transparent about how the data provided will be used.
- As the CTA uses a self-reporting system, there is a risk that it will generate false reports which, if happening often, may cause notification overload and cause people to lose faith in the CTA and cease use.
- From a technical perspective, as the UK government has chosen to use a centralised system (sending all contact data back to the government rather than simply storing on user’s devices) and there remains a question mark as to the effectiveness of Bluetooth links between devices whilst phones are locked or otherwise inactive. This could lead to gaps in contact reporting, thereby reducing the effectiveness of the CTA.
- The government has promised full transparency to individuals in respect of how their data will be used by the government and it will be important for them to provide this, in an easily accessible manner, to encourage people to use the CTA with confidence and to increase its effectiveness. Without this, the government will encounter difficulties in establishing the lawfulness of the CTA; a concern raised by the Parliamentary Joint Committee on Human Rights on 7th May 2020, and one which we suspect may only be overcome with proper Parliamentary scrutiny and possible legislative changes. With one of the government’s key focus points now being test, track and trace it will be interesting to see how the government chooses to balance individuals’ privacy rights with the battle against COVID-19.
If you need any data protection advice, please contact Rebecca Bainbridge on 0161 838 7986 or by emailing firstname.lastname@example.org.