Health secretary Matt Hancock has responded to demands for new legislation for the NHSX tracing app with “a big fat “NO”!”, to borrow MP Harriet Harman’s terminology. Harman, other MPs and peers on the Joint Committee for Human Rights, had submitted a draft bill to Hancock on 7 May that would enshrine in law the privacy guarantees made by government, make criminal the misuse of data, and ensure transparency and regulation of the NHSX app.
After being unceremoniously ignored in the interim weeks, the group finally received a response yesterday by letter. Hancock rejected the need to introduce new legislation for the app, writing that he has every confidence that the NHSX app “complies with the law and high information governance standards expected of public services”. He is of the view that existing legislation (specifically, the Data Protection Act 2018 and the Human Rights Act 1998) already covers the app’s risks nicely. He wrote that the government was taking all “the necessary steps to ensure the app operates in a fair and transparent way and protects any data collected from a user”.
Lilian Edwards, professor of law, innovation and society at Newcastle University and member of the Ethics Advisory Board for the NHSX app, says that the Data Protection Act is inadequate and relying on already existing legislation would mean “huge amounts of uncertainty”. “[The Data Protection Act] is enabling rather than prohibitive – there are very few things that it says you cannot do,” says Edwards.
There are concerns that without new legislation, businesses could require the public to download the app in order to enter establishments and employers could demand employees use it as a condition for returning to work. An NHSX spokesperson told NS Tech that employers would not be able to do so, but verbal contracts are easily broken. “It’s all very well having these denials – but put it in statute,” Jim Killock, executive director of the Open Rights Group told NS Tech last week.
Hancock’s rejection of the bill again puts the UK at odds with other countries (notice a pattern?) which are in the process of legislating around their respective contact tracing apps. “If this was any [European] country, this would be an absolute no brainer because […] you have to have a statute enabling a major new piece of intrusive technology,” says Edwards. Switzerland, Germany and Austria are poised to introduce bills of this kind.
“It’s very unclear to me why the government are so reluctant to introduce legislation,” lecturer in digital right and regulation at UCL Michael Veale told NS Tech earlier in the week. “Australia was able to do it very quickly, and now has a passed law stating that no-one can oblige any other person to show an app as a condition for day-to-day activities.” He said that the JCHR’s bill could be proposed to parliament “with minimal effort”.
Shooting down the bill has the useful side effect that there may be no debate on the introduction of the app, or of the wider track and trace methodology in parliament. Many of the apps’ issues stem from its centralised design that means data is processed and stored in a central government database. But this design choice partly stemmed from the fact that the UK didn’t have enough tests to provide the populace, and therefore has to ask people to enter symptoms rather than coronavirus diagnoses – a choice that ostensibly necessitates more central oversight. Edwards points out that by avoiding a debate on the app, Hancock avoids further scrutiny on the reasons behind certain technical decisions.
Without legal safeguards, abuses of the app’s data could include repurposing by law enforcement or intelligence agencies, or sale or transferral of the data to private enterprises. Neither would be without precedent. “In the world of public private partnerships, it’s really hard to draw a line between ‘what’s the NHS which everyone feels safe about sharing with’ and ‘what are private contractors involved?'” says Edwards.
And while it’s undoubtedly a busy time for ministers, other legislation, such as controversial Counter-Terrorism and Sentencing Bill, which would allow the movement of terror suspects to be restricted indefinitely and that human rights group Liberty told Sky News “threatens all of our civil liberties”, hasn’t faced the same problem – neither did the Coronavirus Bill that had prompted similar concerns.
[Join NS Tech and some of the UK’s leading government tech experts on 3 June for a live discussion on how technology can be deployed responsibly to aid the response to the crisis. Register here.]