Lawyers express mixed views over privacy of NHSX contact tracing app
Lawyers have expressed mixed views over the safety of the UK government’s new coronavirus contact tracing app.
Ross McKenzie, partner at Addleshaw Goddard who specialises in data protection compliance, said the public should have confidence in data protection laws and that they should not become a barrier to the implementation of the app, which could help control the spread of the virus after lockdown restrictions are lifted.
He said: “As countries start to lift lockdown measures and with Scotland likely to face at least another three weeks of current restrictions, we want to get out of this situation safely and contact-tracing could limit and, potentially, eradicate the spread.”
Current data protection laws including the General Data Protection Regulation (GDPR) require apps that process personal data to be developed with privacy by design principles where data protection measures must be embedded into the technology. This means apps should only use collected data for its stated purpose and it is important that users understand what those purposes are.
The data collected through the NHSX’s clinical testing app is anonymised which should mean that data protection laws do not apply. However, because the information at the time of collection is identifiable, then data protection needs to be factored in.
The technology that NHSX has built will allow smartphones to track every other device they have come into contact within the 28 days and it has been confirmed that the data will not be stored for more than 28 days. NHSX has also confirmed that data will be deleted once the pandemic is over.
Mr McKenzie continued: “There has to be personal data used to drive the app, as it is all about protecting our personal health. However, communicating the fact that the data collected from the NHSX app will not be linked back to users individually, is critical in alleviating fears about downloading the app.
“We should think of the app as a social bargain – the majority of us need to install and use the app correctly if we want to get out of current restrictions safely, quickly and with confidence.”
Davidson Chalmers partner, Laura Irvine, who is also a data specialist, said, however, that she was concerned over the personal location data the app gathers.
She told SLN: “I am concerned about making sure that when the state interferes with an individual’s privacy, that is done for the right reasons and in the least invasive way.
“The NHSX app appears to have considered privacy but the information you provide is not anonymous and could be used to identify you. There are elements of anonymity – so for example, if you are notified that you have been in contact with someone who has self-reported symptoms then you are unlikely to be able to identify them. But the data about the location of your phone is likely to be information about your location, and therefore you are being tracked.”
She also warned about the potential for mission creep with the app.
“I would want to know who has that data and who is it being shared with; who can it be shared with in the future; what are they doing with and what will they do with it? If it is being shared in a truly anonymous way for research purposes then I am less concerned. But if mission creep is built into the app, and given that our understanding of the virus and its ability to spread, then it makes sense to build in some flexibility and the possibility for mission creep. That is concerning from a privacy point of view.”
She added: “And finally – will it be effective? In order to give up my privacy I would want to know how it will help me, others and the NHS? The effectiveness of contact tracing through the app is not clear to me yet from what I have read.”