It seems that we are now only a couple of weeks away from the roll-out of the next step of the UK Government's Covid-19 containment strategy, and that a contact-tracing app will be a key element of this new phase. However the Government will be required to balance the privacy rights of citizens with its efforts to ease lockdown.

  • What are contract tracing apps and how will they help in the efforts to stem the pandemic?

Contact-tracing apps have already been adopted in many countries to help contain the spread of Covid-19 and assist the laborious process of manual contact tracing. The apps use either short range Bluetooth or GPS technology to trace and alert individuals who have come in close contact with anyone who has been diagnosed with Covid-19. 

The alerted individuals will then be advised to self-quarantine until they are tested or 14 days has lapsed with no symptoms. As any self-quarantine performed will be targeted and risk-based, it is hoped that the further spread of Covid-19 will be quickly contained and that the rest of the population will be able to go about their daily life and contribute to the economy as usual.

  • What are the key data protection issues?

Due to the potentially sensitive nature of the personal data processed by app providers, one of the key privacy concerns will be to ensure that any personal data collected is anonymised, secure, not easily re-identified and kept for no longer than necessary. The technology framework proposed by Apple and Google's alliance took the “de-centralised” approach, meaning the matching and tracing of at-risk individuals would occur on individuals’ handsets rather than via a centrally-held database. 

It is intended that this approach would minimise the risks that a hacker or some other bad actor could access or misuse the centralised data. Governments in some countries (including the UK) however are concerned that the de-centralised approach means that the health authorities will not be able to have real-time oversight over the spread of Covid-19 and the effectiveness of the app.

The efficacy of any app will also be highly dependent on uptake and proper usage. In the UK, it is estimated that around 80% of existing mobile phone users will need to download the tracing app, report any symptoms or test results and ultimately follow any quarantine instructions. New devices may also need to be rolled out to vulnerable individuals without a suitable smartphone.

  • What does the ICO think about it?

Since the beginning of the pandemic, the Information Commissioner's Office has been supportive of the innovative use of data to fight Covid-19 provided that the principles of transparency, fairness and proportionality are applied in accordance with GDPR. The ICO has reviewed the framework built by Apple and Google and acknowledged that the technology appears to be aligned with data protection principles.

However, it would also be possible for app developers to misuse the technology and process data for longer periods of time than necessary or for unintended purposes. The ICO will therefore continue to monitor the development of contact tracing apps and provide further opinions where necessary. The ICO has also stated that it is working closely with the digital arm of the NHS (NHSX) and will continue to support the NHSX app as it is developed, rolled out and utilised.

  • NHSX’s proposal

NHSX is expecting to roll out its own contact-tracing app in the next few weeks. NHSX has rejected the framework proposed by the Apple-Google alliance, citing performance reasons and functionality issues, and has instead preferred a centralised platform where contacts are represented by an anonymised “identifier”. 

The centralised approach would mean alerts are sent to a user's phone from the NHSX server, whereas Apple and Google’s de-centralized approach would involve direct communication between devices (and these alerts would not logged centrally).

To address cyber security concerns regarding, NHSX has invited the National Cyber Security Centre to provide expert advice. GCHQ has also been enlisted to support and protect NHS digital infrastructure as required to address Covid-19. 

  • A way forward?

The development and use of contact-tracing apps represent a tangible way in which technology and data can be used to stem the effects of the pandemic and ease lockdown. As long as developers continue to comply with their obligations under GDPR and heed the ICO's guidance, this should result in a powerful tool to help our society take steps back towards normality.

If you have any data protection or tech queries about this subject, please contact david.varney@burges-salmon.com