Kzenon - stock.adobe.com
Privacy campaigners at The Open Rights Group and Big Brother Watch have joined forces to demand the government clarify how people’s private data will be kept safe and secure under the Test and Trace regulations, which have come into full force today alongside the launch of the NHSX contact-tracing app.
Released amid the typical lack of clarity or due process that Britain has come to expect from its present government, the app – which is set to suck up over £35m of taxpayers’ money – forms a key element of the government’s so-called plan to bring the Covid-19 pandemic under control.
According to the app’s backers, trials in the London borough of Newham, on the Isle of Wight and with a group of NHS volunteers, appear to show that when used alongside traditional contact-tracing methods, the app may be highly effective in contacting people who have received a positive Covid-19 test result.
It is also going to be used by businesses – such as pubs and restaurants – in England and Wales, to enable customers to check in instead of filling out their details by other means, something that is now legally compulsory. In theory, this is supposed to provide a joined-up way for the Test and Trace programme to contact them should it prove necessary.
However, the ORG and Big Brother Watch argue that having ducked its legal responsibility to provide a public Data Protection Impact Assessment (DPIA) or fully explained the legal responsibilities of pubs and restaurants with regard to their customer data, it appears likely that customer information will not be handled safely, legally or competently.
The organisations cited multiple stories of data collected over the past few months that has been used to send customers unsolicited adverts, and even to harass women.
They have now instructed data rights agency AWO to send a letter to health secretary Matt Hancock demanding he provide more information on how data collected through the app will be kept safe and secure, and whether or not he has finally conducted a DPIA for the Test and Trace programme – which by the government’s own admission has been operating unlawfully since its inception as a result of this failure.
Read more about contact-tracing
- Head of Track and Trace and health minister stung by criticism about contact-tracing app’s development compared with Scotland and Ireland, but reveals further details of app.
- Tech teams supporting agents working remotely on Covid-19 surveillance efforts in several US cities and the state of Illinois eschew traditional IT and opt for cloud platforms.
- Survey of more than 16,000 users in the US, UK, France, Germany, Italy and Spain about mobile applications for Covid-19 tracking reveals global consensus that user trust is lacking.
ORG executive director Jim Killock said: “Government’s first duty is to protect its citizens. This government’s reckless behaviour is once again endangering public health. We have long argued that the government’s test and trace programme must be trusted by the public in order to effectively protect us from Covid-19.
“This government’s failure to conduct the legally required data safety assessment means that no one knows how people’s details will be safely and legally collected, stored and protected by bars, restaurants, and coffee shops. No one knows what will happen if things goes wrong and this government doesn’t seem to have thought this through.”
He said the government had had six months to get the Test and Trace programme shipshape, but that it seemed to prefer to fly by the seat of its pants.
Silkie Carlo, director of Big Brother Watch added: “This law could easily lead to the mass recording of our movements and there is a serious question as to whether this is safe and lawful.
“The government’s new approach to contact tracing is no longer based on public trust, but on exclusion, criminal sanctions and police enforcement. Many people will be rightly shocked to find they’re refused entry to coffee shops and restaurants unless they use the NHSX App or hand over their personal contact details.
“Businesses won’t be able to comply with this draconian new diktat as well as data protection law and many will be fearing sanctions. This is an excessive law that poses a serious risk to privacy and data rights.”
Lack of transparency
Ben van Enckevort, chief technology officer and co-founder of privacy and data ethics firm Metomic, said the lack of transparency around the process did indeed set an alarming precedent.
“Citizens are already wary of sharing their data with the government after the recent A-Levels fiasco and the Department of Health’s admission that its Test and Trace system breached GDPR rules. Without clear and meaningful communication about the data the contact tracing app will be collecting, the UK government is putting data privacy at risk, discounting critical best practice and breeding further distrust,” he said.
“From a technical perspective, while the government has put security and privacy measures in place, there is a fundamental lack of Data Protection Impact Assessment (DPIA) – a process established by the Information Commissioner’s Office (ICO) to minimise the data protection risks of a project. With the government’s track record, when it comes to protecting citizens’ data privacy, the least it should do is follow the process.
“As we enter a second wave of Covid-19, contact tracing has the potential to be a crucial tool to save lives,” said Enckevort.
“However, if the app doesn’t clearly communicate how people’s data will be used and protected, people won’t trust it enough to use it. The UK government therefore must be transparent on data privacy and usage with contact tracing. If they don’t, it simply won’t be able to count on its greatest weapon to fight the virus: people’s common sense.”