The NHSX coronavirus contact tracing app is being rolled out on the Isle of Wight this week, but major question marks still hang over the app. Matthew Gould, CEO of NHSX, told parliament today that the data collected by the app would be accessible to unspecified organisations as long as it was used for public health purposes.
He said that, rather than only the NHS being able to access the data, other organisations with a legitimate public health reason might be able to as well – seemingly opening up the possibility for third parties to lay claim to the data. “I can’t give you a definitive list of exactly who would have access to the data,” said Gould. “But what I can say is, we will have proper procedures in place consistent with law that will make sure that only those who have an appropriate public health reason for seeing the data do so, and they do so under very clear conditions and criteria.”
This seemingly diverges from previous assurances that the app’s data would only be accessed by the NHS. Speaking about the app in April, health secretary Matthew Hancock said: “All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research, and we won’t hold it any longer than it’s needed.”
Gould seemed to signal that a broader range of parties could theoretically get their hands on the data. When asked whether this could include Apple and Google, Gould did not categorically rule it out. “I can’t see a scenario in which Apple and Google would have access to that data,” said Gould.
He was also unable to answer whether employers would be able to gain access to the data under the auspices of ensuring “the health of their employees”. Gould was unable to immediately rule this out. Instead, he said because it touched on “issues of law”, he would need to consult on the question and return answers to the committee in writing.
Gould said that if data remains on the user’s phone (which is the case unless the user reports positive symptoms of coronavirus) then it can be deleted at any time. Contact data held on the phone is also deleted automatically after 28 days. However, once the data reaches the centralised NHS database, it’s too late to withdraw. “Once it is uploaded, it then becomes enmeshed in wider data – the technical difficulties of deleting it at that point become tricky,” said Gould. “But it is worth saying that at the end of the crisis, all the data will either be deleted or will be fully anonymised in line with the law, so it can be used for research purposes.”
Michael Veale, lecturer in digital rights and regulation at UCL, highlighted the vulnerability of the centralised NHSX app design to function creep, the worrying ability to create social graphs mapping an individual’s contacts, and the potential to persistently track a user through the app.
The NHSX app will ask for the first part of a user’s postcode in order to operate. It will also prompt users to enter ever more sensitive data such as location data over time, in order to provide more epidemiologically useful information to the health authority. However, Dr Orla Lynskey, associated professor of law at LSE, pointed out that there’s “inherent risk that if you create a system that can be added to incrementally that you will do so in a way that is very privacy invasive and that might escape oversights and safeguards.”
In the committee meeting, it emerged that the Information Commissioner’s Office (ICO) was likely to take on the role of monitoring and enforcing the data practices of the NHSX app. However, commissioner Elizabeth Denham said that the body had not yet seen a data protection impact assessment (DPIA) for the app. It has “seen some technical documents” but not a DPIA yet, which is critical in order “to see what legal bases…are they going to rely on for the application”, she said. The fact that the ICO wasn’t consulted on the DPIA (which is required by GDPR) before rolling it out to the public in the Isle of Wight is already raising eyebrows.
“Coming from an ICO perspective, we know that the law was designed to flex in a time of emergency,” says Denham. “But I think we play a very important role as the independent regulator in looking at the app and its design phase, in monitoring each iteration of the app, and making sure it does what it says on the tin, and then the other really important part of our role as the independent regulator is to to do robust audits on how the app is actually performed, and whether or not off-boarding or deletion of obsolete data is taking place.”
Gould said that even if only around 20 per cent of the population signed up to the app, the data could provide useful insights into symptoms and how the virus is spreading. He said adoption rates of between 40 to 50 per cent could be useful in identifying people who had been in contact with the virus. Independent researchers have said that the app would need high levels of engagement at a minimum of 56 to 60 per cent of the population to work effectively.
A fierce debate has raged in Europe over whether centralised or decentralised apps offer better privacy and security protections. “If privacy was the only thing that we were optimising for, then it may well be that a decentralised approach should be the default choice, but actually, we’re balancing a number of things,” said Gould.
However, unexpectedly, Gould also said that the selected app design wasn’t set in stone. “We’re not […] irredeemably wedded to one approach. If we need to shift, then we will,” he said. He admitted the team developing the app was worried about interoperability with other nations’ apps. The UK’s nearest neighbour, Ireland, has opted for a decentralised approach, along with much of Europe, making it likely there will be more friction in data sharing.
Gould said his team was working “phenomenally closely” with both Apple and Google on developing the app, given that the majority of handset operating systems are controlled by the two companies.
Gould remains committed to publishing the DPIA and the source code of the app.