Data privacy groups pile in on UK contact-tracing app

After making the promise in May of no less than a “world-beating” test, trace and isolate (TTI) regime by 1 June, the contact tracing app at the heart of the programme is yet to be launched – but even as the government scrambles to get it out to the public, more bodies from disparate groups have warned that the proposed application will pose a threat to user privacy, thus hampering uptake.

The whole story of the UK’s contact-tracing app has been one of unmitigated struggle. The contact-tracing app became available for download as a test on the Isle of Wight from 4 May 2020, using Bluetooth Low Energy technology to alert people who may have been exposed to the coronavirus so that they can take action to protect themselves.

Once installed, the app logs the distance between a user’s smartphone and other phones nearby that also have the app installed. The anonymous log of how close users are to others will be stored securely on the user’s phone. If a user becomes unwell with symptoms of Covid-19, they can allow the app to inform the NHS of their status, which will then, subject to risk analysis, trigger an anonymous alert to other app users with whom the user has come into significant contact over the previous few days.

Yet almost as soon as the first details of the app’s capability were announced, critics weighed in with concerns over what it could achieve, its technical capability, and whether the public could, or would, make representative use of it. Particular concerns were held over whether the app’s centralised nature would lead to privacy breaches and whether it would be any use at all though a lack of user uptake. Details have also emerged of a shadow app development project.

These worries have persisted past the two officially stated launch dates of first mid-May 2020 and then 1 June, with the UK government attracting criticism for not only not launching the product as scheduled but also not being able to say when it may launch, and exactly how many people that have downloaded it during the Isle of Wight test are actually using it – or how many are self-isolating as a result of following the operating procedures.

And flatly contradicting official assurances, more bad news for the programme came when The Guardian reported on 4 June that Tony Prestedge, the chief operating officer of the NHS scheme, had told his staff in a webinar that the programme would be “imperfect” at launch and that he hoped it would be operational at a world-class level in three to four months.

“I am sure when [Dido Harding, chief executive of the Track and Trace scheme] announces this service later she will make clear that it is an imperfect service at launch, and that we will improve over time and make it world-class by the time we are moving towards the September or October time,” he said.

Taking to BBC Radio and TV on 5 June in attempt to refute The Guardian’s report, UK Transport secretary Grant Shapps inadvertently admitted on The Today Programme that Prestedge was referring to the app and not the programme as whole when speaking about delays.

Now, the UK government is facing calls for an investigation from the UK Information Commission’s Office (ICO) into alleged breaches of data protection laws by the NHS Test and Trace regime.

When the first details of the app were revealed in April 2020, ICO commissioner Elizabeth Denham warned that while the ICO recognised the vital role that data can play in tracking the pandemic and the need to act urgently, people had to have trust and confidence in the way personal data is used to respond to the Covid-19 crisis.

UK-based digital privacy and free speech campaigning organisation the Open Rights Group (ORG) has instructed the legal director of the data rights agency AWO, Ravi Naik, to file a complaint with the ICO concerning the national roll-out of Test and Trace, asserting that the system has been deployed in breach of GDPR regulations.

ORG’s lawyers have also separately written to Matt Hancock, the secretary of state for health, Matthew Gould, the CEO of NHSX at the UK National Health Service’s digital innovation unit, and Duncan Selbie, chief executive of Public Health England, asking for clarity around the Test and Trace system.

ORG argues that to-date, there has been no data protection impact assessment as required by law, leaving no confidence that risks are adequately mitigated. It added that security risks have already been identified that place people at risk and that its 20-year data retention period was “excessive”, and likely to put people off participation; the programme’s commercial and research purposes are unclear as matters stand – making the retention period even more problematic – and that the privacy notice associated with Test and Trace is flawed.

“The ICO must act to enforce the law,” said ORG executive director Jim Killock. “The government is moving too fast, and breaking things as a result. If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the Track and Trace programme. Public health objectives are being undermined by failures to get privacy and data protection basics in place.”