Covid-19 Contact-tracing apps and privacy guidance

Smartphone tracing apps are gaining significant attention around the world as countries look to ease lockdown measures put in place to control the Covid-19 pandemic, but they raise significant privacy concerns. Speaking during a UK government briefing over the Easter weekend on April 12th, the Secretary of State for Health, Matt Hancock, confirmed that a new NHS smartphone app for contact-tracing is being developed in conjunction with leading technology companies.

NHS Digital (NHSX), the digital innovation unit of the NHS will test the smartphone app in a pilot study in the North of England before it is released to the wider UK population. Similar contact-tracing apps are already operating in other parts of the world, and are notably being used to ease lockdown restrictions in mainland China. Taiwan, Singapore, Hong Kong and South Korea have also all released contact-tracing apps in recent weeks.

How do contact tracing apps work?

Early contact-tracing apps worked by collecting GPS data from users’ smartphones, together with the scanning of QR codes, and consolidated data in a large centralised server to trace co-location between infected users and other individuals. Clearly, this raises very serious concerns on the processing of personal data and privacy.

The UK’s proposal, seen in the development of other contact-tracing apps elsewhere in the world, uses Bluetooth technology to significantly minimise the use of personal data. Generally speaking, these apps use Bluetooth Low Energy signals to reduce the need to send data to remote application servers.  The apps work by broadcasting unique digital tokens at regularly set intervals.  It is understood that tokens do not contain any geographical data and cannot be traced back to the user’s device. The tokens of users diagnosed with Covid-19 are also uploaded to a central server, which then sends them to all app users. Each app checks downloaded tokens against a local database and any matches signify that the user has possibly come into contact with a person infected with the virus.

The Department of Health has stated that different tokens will be used to distinguish between individuals who have been medically diagnosed with Covid-19, and individuals who are experiencing the symptoms of the disease but who have either not undergone a test, or are waiting to receive results from a test undertaken.

It has been reported that in order for the app to stop the spread of coronavirus, 80% of current smartphone users in the UK (not including the shielded over-70s group) would need to download and use it. However, a lower uptake could still provide significant data, and it is hoped that information can be used to address this pandemic. The success of the system would also require wide-spread testing, which is yet to take place in the UK although the government has announced plans to scale-up testing to 100,000 daily tests by the end of April. A target even ministers admit is a challenge.

Data protection concerns

Contact-tracing apps could offer important information on the spread of Covid-19. However, such large scale monitoring, possibly linked to location and health data is raising cybersecurity and privacy concerns.  While the advent of the Covid-19 pandemic is unprecedented, it is clear that the obligations of the GDPR remain, as we have reported in our earlier article. The rapid deployment and use of contact-tracing apps raises many questions concerning the extent to which data controllers are compliant with the applicable legislation, namely the General Data Protection Regulation (‘GDPR’), the Privacy and Electronic Communications Regulations (PECR), and the Data Protection Act 2018 (Data Protection Legislation).

One of the core data protection principles of the GDPR is purpose limitation. In practice, this means that governments and health authorities deploying contact-tracing apps must be clear why they are collecting personal data and what they intend to do with it. As contact-tracing apps may have multiple purposes (e.g. identifying contact with infected individuals, and/or analysis of symptoms and offering advice), a transparent statement of purpose is required. The GDPR also requires a lawful basis for processing data to be identified. Although consent is not the only legal basis for processing, it is safer to rely on consent when processing any special category sensitive data, and consent may well be required for some specific processing activities under PECR.

Data anonymisation

Under the GDPR, personal data is any information that relates to an identified individual or an individual who is, without too much trouble is identifiable. Special category data is any personal data that needs more protection because of its sensitive nature. This includes genetic data, biometric data, and data concerning health. However, any personal data or special category data that is properly anonymised (and not just pseudonymised) are not considered to be personal data for the purposes of Data Protection Legislation. On March 28th, the Information Commissioner’s Office (ICO) advised the government that the use of anonymised mobile phone tracking data in the fight against the coronavirus does not run afoul of data protection law, as we first reported here.  Whether that view remains the case should a privacy campaigner raise issues or bring complaints remains to be seen.

Although Bluetooth-enabled apps are considered to be a better and safer alternative to GPS-enabled contact-tracing apps from a privacy perspective, they also raise privacy concerns. For example, in order to use anonymised tokens for research, the NHS would still require complementary information to ultimately link data to app users and NHSX is yet to clarify whether it will be collecting other data points in addition to proximity and daily tokens. Furthermore, publications such as the Guardian newspaper are reporting that NHSX is considering whether to use device IDs to de-anonymise data and link it back to users if “ministers judge that to be proportionate at some stage.” However, ultimately, the NHS and the government hope that the use of Bluetooth signal technology will help allay fears over privacy and encourage user take-up of the app.

Data retention concerns

The GDPR also imposes strict rules on the retention of data, and any personal data should not be kept for any longer than is necessary. The Department of Health has stated that data will be stored securely, and will be retained for no longer than necessary. What constitutes the necessary period is of course not known. The government has also promised to publish the open source code used by the app. Further, NHSX has also stated that there are currently no plans to make use of existing apps and other functions typically installed on smartphones (such as Google maps) and that there are no plans to use device IDs of users in any contact-tracing app-based solutions.

Apple and Google’s approach

The UK’s announcement that NHSX is independently developing a contact-tracing app came shortly after Apple and Google stated that they were collaborating to develop technology that will enable governments to introduce contact-tracing apps on either iPhones or Android smartphones. Apple and Google announced that they are using Bluetooth technology to develop a decentralised application programming interface (API), which will prevent governments from building a surveillance-style centralised database of contacts. We have reported on Apple and Google’s collaboration in our recent Data Blast here.

At the time of writing, it is reported that Apple and Google’s announcement has come as somewhat of a surprise to NHSX because if its app does not implement Apple and Google’s API protocol, it will not be able to access Bluetooth when it is running in the background, and so would only work when the app is open and the phone unlocked. Obviously, such a restriction would severely limit the operational usefulness of the contact-tracing app. It is understood that NHSX is in consultation with Apple and Google to find a solution to this issue. We will report and update on any developments as and when they emerge.

EU Commission’s recommendation for a common approach

On April 8th 2020, the European Commission published its draft recommendations to support exit strategies through the use of smartphone apps, as it seeks to develop a common pan-European coordinated approach to use mobile apps to take effective and more targeted social distancing measures, and the introduction of contact-tracing in response to the Covid-19 pandemic. The Commission’s press release can be read here. The Commission’s vice-president has stated that trust in the public use of these apps is vital to their effectiveness on a broad scale.

Then, on April 16th the Commission published its Toolbox for the use of mobile contact-tracing apps, which can be read here. The publication of the Commission’s Toolbox comes as the Switzerland-based Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) comes under criticism for a lack of transparency in its software operations. We first reported on PEPP-PT in our earlier Data Blast here.

The Toolbox has been developed by the e-Health Network (a platform of Member States’ competent authorities dealing with digital health) with the support of the Commission, and is accompanied by guidance from data protection authorities. In summary, contact-tracing apps should:

• Be fully compliant with EU data protection and privacy legislation;
• Be implemented in close coordination with, and approved by, public health authorities;
• Be installed voluntarily and dismantled as soon as no longer required;
• Use anonymised data and not reveal the identity of the people infected;
• Be interoperable across the territory of the EU;
• Exploit the latest privacy-enhancing Bluetooth proximity technology;
• Be anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity and accessibility; and
• Be secure and effective.
• ​Smartphone tracing apps are gaining significant attention around the world as countries look to ease lockdown measures put in place to control the Covid-19 pandemic, but they raise significant privacy concerns. Speaking during a UK government briefing over the Easter weekend on April 12th, the Secretary of State for Health, Matt Hancock, confirmed that a new NHS smartphone app for contact-tracing is being developed in conjunction with leading technology companies.

Guidance from the European Data Protection Board

As part of the Commission’s contact-tracing initiative, it has been working closely with the European Data Protection Board (EDPB) to ensure that the guidance and Toolbox comply with applicable Data Protection Legislation.  Alongside the Toolbox, the Commission has also published specific guidance from the EDPB to ensure full data protection standards of contact-tracing apps, which can be read here. In summary, EDPB’s guidance states that:

• National health authorities should be accountable for compliance with EU data protection rules given the high sensitivity of the data and the ultimate purpose of contact-tracing apps;
• Installation of contact-tracing apps should be voluntary and users should remain in full control of their personal data;
• Any contact-tracing app should adhere to the principle of data minimisation and should not use location data;
• Strict limits should be imposed on data storage with personal data being kept for no longer than is absolutely necessary, taking into account medical relevance as well as administrative requirements;
• Data should be stored on a user’s device in encrypted form;
• Any data processed by third parties must be accurate; and
• National data protection authorities should be fully involved and consulted in the development of contact-tracing apps and should review the deployment of apps

In summary, the widespread roll-out of contact-tracing apps demonstrates the significant impact that technology and data may have on easing lockdown restrictions and ultimately bringing the pandemic to an end. However, if the general public accepts the use of their personal data during this pandemic, they may become desensitised to future use in the context of crime prevention and anti-terrorism surveillance. Or perhaps governments will simply see how much they want to monitor our activity, and this may open a fascinating debate about the population’s willingness to consent. Whilst some governments around the world, most notably in China, are already using personal data for such tracking purposes, the UK and EU are likely to take a more cautious approach once the Covid-19 pandemic has passed. We shall continue to watch and report, and if you have any questions please contact James Tumbridge, or David Pountney.