COVID-19 Tracking App – abuse of privacy, or essential tool?
28 - 04 - 2020
Data Protection and Privacy
Data, it was said, was the new oil (until oil prices went negative); but it is now one of the routes to track Covid19. Perhaps by ensuring distancing is maintained, it will be the route allowing us more freedom to move from our homes?
The release of further information on a tracking app, through the NHS, has unleashed an anticipated storm of negative comment, and of course genuine concern; will it provide even more data to Google and Apple; will it provide data to companies close to Dominic Cummings and some government eminence grises? Questions are also being raised about consent – is consent from 65 million people going to be needed?
Public perceptions of data
In the UK, people have always been very wary about handing over their personal data to government. ID card initiatives failed or were shelved; systems get hacked, and laptops are left on trains; trust in government in the UK isn’t great, and this doesn’t give encouragement to the likely success of a tracking app. It certainly doesn’t help that we’ve come through a period of huge division in the country over Brexit, and the fact of the high priest of Vote Leave data use being at the Prime Minister’s right hand doesn’t help with gaining the trust of one half of the population.
These issues are different in other countries: in Estonia for example, the level of trust in government is very high, as is awareness of Russia on its border trying to hack its systems. Therefore the country is able to operate almost entirely digitally, with high levels of security. In China, fear and authoritarianism do their job in their way (but the figures appear to be highly unreliable, and of course there are other issues); in Israel, the fact of the country being under existential threat throughout its lifetime means that there has to reliance on security communications.
A question of consent?
In pure data protection terms, consent ought not to be an issue – there are six bases allowing processing of data, and only one of them is consent. Two other ones, taking the wording from the Information Commissioner’s Office wording, are:
- Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
- A public task: official functions or task in public interest – if permitted under UK law.
A pretty clear tick can be placed against these bases, on the Covid tracing app.
More than an issue of data protection?
The concerns then come up against public trust, but also against the principles of data protection. These are not “jobsworth” – they are genuine, essential safeguards: who will have that data – how long will they hold it for – will they hang on to it and use it for other purposes – will they gather more data than is strictly needed? On these aspects, the Data Protection principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
That’s the theory. But this might, in a lot of commercial circumstances, depend on the technical and organisational measures you trust the provider to have in place. In those cases, though, this will be with providers who they have chosen to interact with – even if people tend to click without reading any terms. An app which an entire country – and four nations (plus the “people’s republic of Yorkshire”) are expected to trust is a different thing.
It’s not therefore really only a question of what the law allows – the law allows it. You can see some people deciding to disable their Bluetooth connections, for either good or ideological (maybe also good) reasons. Will they decide that a Covid 19 app is for the greater good? Will the idiots attacking 5G masts decide that actually, they got it wrong (though they might not be the data protection expects).
As ever, the Information Commissioner is a sensible view in the debate. On this specific point, this item has been published (link), and unusually, the ICO has published a formal opinion on the issue. NHSX Chief Executive has also explained:
"The app will give the public a simple way to make a difference and to help keep themselves and their families safe. The technology is based on research evidence developed by epidemiologists, mathematical modellers and ethicists at Oxford University’s Nuffield Departments of Medicine and Population Health. Once you install the app, it will start logging the distance between your phone and other phones nearby that also have the app installed using Bluetooth Low Energy.
The ICO added:
This anonymous log of how close you are to others will be stored securely on your phone. If you become unwell with symptoms of COVID-19, you can choose to allow the app to inform the NHS which, subject to sophisticated risk analysis, will trigger an anonymous alert to those other app users with whom you came into significant contact over the previous few days.
The app will advise you what action to take if you have been close to someone who has become symptomatic – including advising you to self-isolate if necessary. The exact advice on what you should do will depend on the evolving context and approach. It will be based on the science, and will be approved by the Chief Medical Officer. Scientists and doctors will continuously support us to fine-tune the app to ensure it is as helpful as possible both to individuals and to the NHS in managing the pandemic."
This therefore is saying that crucial data won’t be stored by government, or Apple, or Google. It will be stored on the phone (link). There will certainly be a huge amount of scrutiny and oversight – both from statutory bodies such as the ICO, and from consumer bodies. It feels as if, as long as there isn’t an opt in – which there doesn’t need to be –this will be regarded as the route to get us out of our homes, and save lives. Where NHSX say:
“As part of our commitment to transparency, we will be publishing the key security and privacy designs alongside the source code so privacy experts can “look under the bonnet” and help us ensure the security is absolutely world class.”
It feels, at least, that those publishing the app know their responsibilities, deeper down than the average Twitter warriors.
Will Apple or Google own the data?
Going back to the Apple/Google point – the option the NHS is following is for a native designed app, not using the Apple/Google route. Apple and Google say theirs should be superior because the data won’t be stored centrally, and will use less energy (Bluetooth is power-hungry). The NHS version will be stored centrally, but as above, there is a commitment to an unprecedented level of scrutiny. NHS Digital is based in Leeds, not Whitehall; I know some of the people deeply involved in it. I don’t see them as political tools. They understand the need for privacy by design.
The European Data Protection Board doesn’t express a preference over centralised or phone-based tracking; the key is the application of the principles to the need, and along that route ought to be trust. Trust in the NHS, or trust in Google? Trust, perhaps, in openness and scrutiny.