With the launch of a COVID-19 contact-tracing app on the Isle of Wight this week, concerns over data protection and cybersecurity have been raised ahead of a proposed national roll-out.
The clinical testing app, developed by NHSX, will use Bluetooth to alert users if they have spent more than 15 minutes within close proximity to someone who has tested positive for COVID-19.
Users will be advised to self-isolate and monitor potential symptoms if they have come into contact with carriers of the virus.
It is understood that the app will likely be rolled out nationwide within a matter of weeks, and the UK Government hopes it could help end the national lockdown.
Earlier this week, however, serious concerns over the app’s security were raised. A report by HSJ suggested that it “failed all the tests” required for it to feature in the NHS Apps Library.
The failures identified included issues with clinical safety and performance as well as cybersecurity, the publication noted.
A senior NHS source told HSJ: “The real problem is the government initially started saying it was a ‘privacy-preserving highly anonymous app’, but it quite clearly isn’t going to be. When you use the app and you’re not [COVID-19] positive in the early stages, you’re just exchanging signals between two machines.
“But the second you say, ‘actually I’m positive’, that has to go back up to the government server, where it starts to track you versus other people.”
A spokesperson for the Department of Health and Social Care (DHSC), insisted that the app will not track people’s location with GPS, but will simply monitor who an individual has been near to via Bluetooth.
“The NHS COVID-19 app has not failed any clinical assessments and NHS Digital has been clear it will go through the normal assessment and approval process following the Isle of Wight roll-out,” the spokesperson told HSJ.
Privacy rights groups have criticised the government’s decision to launch the app trial and have not been impressed with attempts to alleviate worries.
Lawyers for Open Rights Group (ORG) have written to Health Secretary Matt Hancock and NHSX to demand confirmation that a “full and adequate” data protection impact assessment will be conducted. The privacy rights group also requested that the results of any impact assessments be published fully.
Jim Killock, executive director of ORG, questioned whether NHSX has adequately addressed potential privacy risks and warned against compiling large any large databases containing personal information.
“The NHS has chosen to use a very intrusive solution to contact tracing, so must be especially careful about the risk management,” he said. “They have failed to consult with the ICO on those risks, and have not published information about them in advance of public trials.”
“We are worried that NHSX will not have fully addressed the many privacy risks that come with building a massive database of personal contact events,” Killock added.
Ross McKenzie, partner at law firm Addleshaw Goddard which specialises in data protection compliance, insisted the public should have confidence in data protection legislation and not present barriers to the implementation of the contact-tracing app.
“We are in the midst of a global health crisis which has devastated people across the globe, both personally and professionally. The power of technology has never been so prominent and we now have the opportunity to harness it to aide our recovery from the pandemic and, ultimately, save lives,” he said.
Current data protection laws, including GDPR, require apps that process personal data to be developed with privacy by design principles where data protection measures are embedded into the technology itself.
This means apps should only use collected data for its stated purpose, and it is critical that users understand what those specific purposes are.
- Holyrood announces review of tech sector role in post-Covid economic recovery
- Astronaut Tim Peake to host live webinar for Scottish schoolchildren
- Heat detection camera launched by Vodafone to trace potential Covid-19 carriers
The NHSX clinical testing app is anonymised, McKenzie noted, which means that data protection laws do not apply. However, due to the fact that information at the time of collection is identifiable, then data protection must be factored in.
“There has to be personal data used to drive the app, as it is all about protecting our personal health,” he insisted. “However, communicating the fact that data collected from the NHSX app will not be linked back to users individually is critical in alleviating fears about downloading the app.
“We should think of the app as a social bargain – the majority of us need to install and use the app correctly if we want to get our of the current restrictions safely, quickly and with confidence,” Mckenzie added.
NHSX has confirmed that the collected data will not be stored for more than 28 days, and will also be deleted once the pandemic is over.