Yahoo News UK contact tracing app faces uphill battle to satisfy privacy laws
The NHSX contact-tracing app faces an uphill battle to satisfy privacy concerns ahead of launch, experts have warned.
Dr Orla Lynskey, associated professor of law at the London School of Economics, said that plans to allow the app to record location data risk undermining trust in the system.
“There is an inherent risk that if you create a system that can be added to incrementally, you could do so in a way that is very privacy invasive,” she told the joint Human Rights select committee.
The app, being trialled in the Isle of Wight this week, uses Bluetooth technology to work out when other app users are in close enough proximity to spread the virus.
Users will input into the app when they have symptoms linked to Covid-19, and if the virus is suspected, they can then choose to share the proximity logs from the last 28 days with the NHS.
The NHS app works on a “centralised” model in which anonymised data is transferred via a central server when one phone pings another.
A decentralised app, such as the one proposed by Google and Apple, would operate differently by transferring data directly from phone to phone. Data would not be siphoned into a government data store.
“As a general rule, the decentralised approach allows most readily for best practice compliance with the data minimisation principle,” the Information Commissioner’s Office said in evidence to Parliament’s Human Rights Committee.
Michael Veale, an expert on digital rights at University College London, told MPs that adding further features and collecting more data could gradually lead to “the kind of progression of a traffic light kind of system that they have been trialling in China”.
Such concerns might be seen as bumps in the road to wide-spread adoption of the app.
“It will definitely be a struggle to convince others to download a government app on their phone,” says Matt Burfield, an Isle of Wight resident.
Last week, more than 150 UK academics signed a letter warning that the UK risked a creep towards a “surveillance state” unless the technology was kept in check.
Britain’s efforts also face legal opposition. A legal opinion from barristers at Matrix Chambers, Blackstone Chambers and data rights agency AWO published late on Sunday argued the tech proposals would “need detailed justification” to satisfy human rights law, and some use of the data “may be illegal”.
Contact-tracing data collection, in particular, would “require significantly greater justification to be lawful” if they interfere with human rights law in relation to privacy.
There are also concerns the app will need to meet stringent cyber security requirements. A report from Health Services Journal on Monday claimed the app had so far failed security requirements to be included in the NHS’s own app library.
The concerns pose challenges to convincing people to download the app in the numbers needed to contact trace effectively.
Transport Secretary Grant Shapps said around 50pc to 60pc of people will need to use the software for it to be effective as he described it as the “best possible way to help the NHS”.
“If we are going to get the kind of engagement we need with the public we are going to need to win their trust,” says Matthew Gould, boss of NHSX.
Gould confirmed it collected no specific personal data from users, instead relying on the anonymous keys assigned to each app user which could not be linked back to them.
“The app is designed so you don't have to give it your personal details to use it - it does ask for the first half of your postcode but only that.
“You can use it without giving any other personal details at all - it doesn't know who you are, it doesn't know who you've been near, it doesn't know where you've been.”
The National Cyber Security Centre (NCSC), which has helped with the app's development, said privacy-preserving gateways had been built into the system so that all app data would be kept separate from other NHS data and to prevent individuals from being identified.
