Last month the COVID-19 contact-tracing app was launched in England and Wales, after initial trials among NHS volunteers, residents of the Isle of Wight and the London borough of Newham were conducted in August 2020.
Launched by NHSX, the innovation arm of the NHS, an earlier version of the app was initially scheduled for release in May. However, subsequent complications following trials on the Isle of Wight resulted in the release date being delayed. The UK government hopes that the recent deployment of the app will be a beneficial tool in tracking the spread of COVID-19 and suppressing its transmission within the wider population.
What is the contact-tracing app and how does it work?
The app, which has been developed using the Apple-Google model (we have previously discussed the different models of contact-tracing app), uses Bluetooth technology to measure the distance and duration of exposure between the user’s phone and other phones that have the app installed. A key code is then exchanged between the phones of all users to keep an anonymous log of the contact.
If a user becomes ill with COVID-19, they can update their status in the app. The app will then send an alert to other app users that the unwell person had previously been in close proximity to, instructing them to self-isolate.
The app uses a 'decentralised' approach. This means that the process of contact matching is performed through direct communication between devices (but these alerts are not logged centrally). The government initially preferred a 'centralised' system, meaning alerts would be sent to a user’s phone directly from the NHSX server. However, the government ultimately opted against using this approach in June in light of privacy and operational concerns.
As well as from determining whether someone has been in contact with an infected person, the app also allows users to:
- record their visit to a venue by scanning a QR code, which can enable them to easily see and keep track of businesses they have visited. A range of businesses including hospitality venues, tourism and close contact services in England now face £1,000 fines (escalating when more than one offence is committed) if they do not display an official NHS Test and Trace poster featuring a QR barcode assigned to them
- book a free test through the NHS Test and Trace website, if they have been instructed to do so by the alert system
- check the level of COVID-19 risk in their local area (based on the first part of their postcode).
What are the key data protection issues?
One of the key concerns with having a 'centralised' approach to the app was the risk that users’ personal data may be vulnerable, if the centrally-held database where their data is stored became compromised by malicious actors. The decentralised Apple-Google model subsequently adopted by the government means that the anonymised data of each user is stored on their personal handset, making it more difficult for the anonymised data to become identifiable and later misused. However, this also means that NHSX will not have a repository of public health data created by the app to use for analysis and later public health research.
As we have previously discussed, The Information Commissioner’s Office (ICO) has been supportive of the creative use of technology and data to counteract the effects of the COVID-19 pandemic, so long as data protection principles are adhered to in accordance with GDPR. The move to the decentralised model shows that the government has taken on board the ICO’s guidance on this topic, after the ICO issued a formal opinion on the Apple-Google model in April. The process undertaken by NHSX is indicative of the importance of incorporating privacy by design from the outset, in order to address any privacy concerns at an early stage. Following this process, the Department for Health and Social Care published the app’s data protection impact assessment (DPIA) at the end of September, which has subsequently been updated with new features. The DPIA explains how the NHS COVID-19 app incorporates the best practice guidance from the ICO.
How has the contact-tracing app been received by the public?
The decision of whether or not to download the app is, at this stage, voluntary. As such, there were initial concerns over the level of uptake from the general population, which is crucial to ensuring the effectiveness of the system. However, according to government statistics, six million people downloaded the app on the first day of its release, rising to 14 million people in its first week.
Despite this, recent press coverage indicates that some users have been encouraged by their employers to switch off the contact-tracing app whilst at work, and some teachers were asked to not use the app during school-hours in order to avoid unnecessary disruption (whilst other schools have specifically advised pupils and staff to download the app). As such, it remains to be seen if the contact-tracing app can be consistently used as an effective tool in the fight against COVID-19. Whilst there is still some scepticism over its accuracy, the measures taken to address privacy concerns should be critical in allowing the app to maintain public confidence, and encouraging large scale adoption across England and Wales.
The privacy-first design of the new COVID-19 app, and the detailed DPIA published recently, are indicative of how products should be designed in light of increasing public pressure to protect users’ personal data. If you have any data protection or technology queries about this subject, please contact our Data Protection team.