COVID-19: The ICO’s new guidance on contact-tracing apps

The ICO has been playing a central role in the development of NHSX’s (the NHS’s digital arm) contact-tracing app, released for trial last week. The app will be a crucial element of the government’s 'test, track and trace' programme, working alongside enhanced contact-tracing services and swab testing, as it works towards safely reducing lockdown measures.

Talking to the Parliamentary Human Rights Committee on 4 May, Information Commissioner Elizabeth Denham appeared alongside NHSX CEO Matthew Gould. She confirmed that the ICO (in light of the strict time frame which would make setting up a new oversight body difficult) sees itself as the suitable independent body to advise on and check NHSX’s data protection impact assessment (DPIA) and privacy notice, in addition to its usual enforcement role. NHSX has consented to voluntary audits by the ICO and the ICO will deal with data protection complaints about the app directly.

The ICO’s data protection expectations for contact-tracing app development

The ICO published core principles and best practice guidance for contact-tracing app development prior to presenting to the Human Rights Committee. Before making its recommendations, the ICO highlighted its role as a pragmatic, proportionate and independent data protection regulator first and foremost. The ICO’s recommendations are designed to protect the public. The ICO also notes that, regardless of the development choices made regarding contact-tracing apps, the ICO believes that a developer must perform a DPIA and keep this document up to date throughout the lifecycle of the app. The ICO has promised to expedite the consultation process for any such DPIA sent to them for review.

Core design principles

• Transparency of purpose, design choices and benefits. The ICO flags the risk of the app’s purpose and functionality evolving beyond the minimum required for contact-tracing
• Protect users and do not weaken their privacy. Actions include data minimisation, such as using pseudonymous identifiers rather than registration details
• Ensure users have control over their data. This applies both during on-boarding and controls should be accessible in the app’s settings. The app should ensure that users can opt-in or opt-out without any negative consequences
• Store data for as short an amount of time as possible
• Securely process data. For example, use cryptographic/security techniques both when data is at rest and in transit.

Best practice recommendations

The ICO’s guidance also covers best practice recommendations for the lifecycle of a contact-tracing app from scope & design, to development & operation, to decommissioning. Some of the key recommendations made by the ICO include:

• keep data on the user’s device as far as possible
• publish key documents, like the product roadmap, so that users understand design choices about the use of their data
• make sure users know what data about them is being processed
• make the source code open for scrutiny and review
• retain data only as long as necessary – the ICO says personal data must only be processed for the duration of the COVID-19 crisis. Afterwards, as a general rule, it should be erased or anonymised
• exclude further processing not necessary for the primary aim of the app, in particular developers should not collect data because it 'may be useful in the future'
• re-assess the data protection implications for any future additional functionality
• allow users to decouple features so they can access the minimum contact-tracing feature (i.e. receiving a notification if they have come into contact with someone with COVID-19) without needing to provide additional data
• consider how the app will work alongside apps provided by other countries, as users start to travel abroad again
• prevent the collection of data by third parties for other purposes
• only collect pseudonymised proximity data (i.e. by generating a number 'key'), and refresh this 'key' regularly to prevent tracking
• make decisions about how to decommission the app once the pandemic ends at the design stage or as part of the app development road map.

The ICO has stated that it will keep these recommendations under review throughout the pandemic.

Lawful basis for processing

The ICO also commented that if the developer (such as the NHSX) is relying on public interest as a lawful basis for processing, then this must be 'necessary', meaning that if the developer could reasonably perform the task in a less intrusive way, then the public interest lawful basis will not apply. Consent may not be required for strict contact-tracing functionality, but where storage of and access to data is not strictly necessary, valid consent must be obtained.

The ICO also notes that collection of identifying personal data (e.g. an IP address), or location data (as opposed to proximity data) is not 'necessary' for the purpose of contact-tracing. In other words, a developer does not need to know where two people were when they met, only that they were in close proximity.

The NHSX’s contact-tracing app

Despite not yet being widely-available, the NHSX contact-tracing app has received criticism from privacy and human rights groups, such as the Open Rights Group and Amnesty International. This criticism primarily relates to those groups lobbying for the government to release key documentation associated with the app, like the DPIA and privacy notice. This will allow the public to confirm that NHSX has taken a risk-based, 'privacy first' approach to the app’s development. Matthew Gould, CEO of NHSX, has emphasised the NHSX’s commitment to transparency to the Human Rights Committee.

One of the key points that groups scrutinising the app have raised is that NHSX has chosen to ignore Apple and Google’s proposed “decentralised” framework (discussed in one of our previous articles) and has taken a 'centralised' approach, meaning the digital 'keys' are stored in a central cloud server, which in turn invites a higher risk of cyber-attack. This approach might conflict with the ICO’s guidance to store data on the user’s phone as far as possible, and NHSX will likely have to justify this decision in any privacy documentation, which is still to be released.

There are justifications for this choice provided by NHSX, such as providing greater insight into how the pandemic spreads across the UK and allowing NHSX to verify malicious, fraudulent or erroneous use of the app. It will be necessary for NHSX to have considered the risk to individual’s rights and freedoms in its DPIA to justify this approach.

Privacy concerns

Privacy groups have raised three primary concerns about the scope of the app:

1. The government will now have more information about contact between people (albeit anonymised)
2. In theory the government could cross-reference this proximity data with other data sources
3. There is a risk that the government will expand the scope of the app with additional functionality.

These groups have asked for more clarity about how user data might be used in the future, when personal data will be deleted, and how the government intends to ensure that the scope of the app does not broaden.

However, NHSX has stressed that the app has been built with privacy in mind. The app will not request any personal data, other than the first three digits of the user’s postcode to obtain approximate location and to enable analysis of high level trends. Matthew Gould has also stressed that the app is voluntary (requiring consent at several different stages of use) and transparent, it minimises the data collected where possible and the NHSX is alive to the issues associated with adding additional functionality. However, the academic experts presenting to the Human Rights Committee argued that a decentralised model would still have been better to address privacy concerns.

NHSX has yet to publically release its DPIA and privacy notice for review, although on 7 May the ICO announced that it is 'reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight. We’ll feedback our comments as quickly as possible so that they can be usefully included in the learnings from the trial.'

It also seems that the NHSX is taking the recommendations from the ICO and the privacy concerns of advocacy groups seriously, with recent reports that it has started development of a second, 'decentralised' app.

The mere fact that this issue has received so much media attention shows that data protection has become a central issue when holding both public and private bodies to account. If you have any questions around data protection and technology, please contact David Varney in our Data Protection team.

This article was written by Andrew Wilson.