When the UK launched its test and trace program on 28 May 2020, it was missing a key element; the test and trace app developed by NHSX.
Originally flagged as crucial to the success of the program, the importance of the app has been downplayed as uncertainty regarding its final launch date has grown. The app remains on trial in the Isle of Wight with the original launch date of late May now long past.
Whilst a number of significant technical concerns have been raised regarding the viability of the technology itself, the real focus of debate is on the privacy implications of the app.
Centralised and de-centralised models
The government’s initial failure to publish a data protect impact assessment (DPIA) or source code for the app lead to the Information Commissioner issuing a public statement calling for greater transparency and engagement with it as the expert regulator. The Department for Health and Social Care (DHSC) was quick to respond, releasing both the DPIA and front-end source code. However, the DPIA in particular appeared to give credence to many of the concerns voiced by commentators, campaigners and experts across the sector.
Chief amongst these concerns are the potential implications of a centralised model. With a centralised model, all data logged through the app by those reporting symptoms of coronavirus will be uploaded and stored on a central database. Once an individual’s data has been uploaded, it cannot be deleted. It will be retained for the lifetime of the database and used for public health planning and research. The DHSC has acknowledged that as details of future research have yet to be decided, it cannot say when, or indeed if, the database itself will be destroyed.
By comparison, when the de-centralised model offered by Apple and Google is used all data stays on the individual’s device. This is the model that has been adopted by nearly all other countries developing similar apps. By choosing to develop its own centralised model, the UK has made itself something of an outlier in privacy terms.
Privacy concerns and ‘pseudonymised’ data
Matthew Gould, CEO of NHSX, has acknowledged that the de-centralised model offers greater privacy protection whilst also maintaining that the centralised model does provide adequate protection and noting that the app must be optimised for both privacy and functionality.
The DPIA highlights the fact that any privacy risk is reduced because the app does not use directly identifiable personal data. Whilst this is a valid point, it has been undermined by poor use of language. The app’s privacy policy repeatedly uses the term ‘anonymous’. However, in legal terms the data is not in fact anonymous but is ‘pseudonymised’, meaning that it could be used to identify an individual if combined with other types of data, such as location data.
Whilst the DPIA states that this will not happen, Mr Gould has already indicated that the app may be further developed to capture this type of data in the future. It is exactly this type of inconsistency and uncertainty that are driving the accusations that the DHSC is being less than transparent.
Ultimately, whilst the privacy concerns raised are certainly not spurious, it is nevertheless true that many of the core issues relate to potential future actions and uncertainties that have yet to crystallise. Against the current climate, it therefore seems unlikely that the launch of the app in the UK would actually be blocked on privacy grounds. However, it must also be recognised that public awareness of the privacy issues posed by the app is increasing with every day of delay.
If public confidence in the app is undermined the real risk is that individuals will vote with their feet and simply choose not to download the app. The government is no doubt increasingly mindful that unless 60% of the population can be persuaded to download the app, it will not make a material impact in the fight against coronavirus.
To find out more about the data protection needs of your business, contact our specialist team.
This article was first published on 23 July 2020 in Business Weekly.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at July 2020.