COVID-19: Legal implications of the UK Government’s new contact-tracing app

We investigate the data protection implications of contact-tracing apps, as the UK Government begins trialling the new NHSX app this week

07 May 2020

This week the government aims to start trialling its contact-tracing app on the Isle of Wight, before rolling the app out more widely later this month. The government will be asking the whole of the UK to download the app, according to Transport Secretary Grant Shapps, as it is a key element of the next step of the government’s COVID-19 containment strategy.

What are contract tracing apps and how will they help in the efforts to stem the pandemic?

Contact-tracing apps have already been adopted in many countries to help contain the spread of COVID-19 and assist with the laborious process of manual contact-tracing. The apps use either short range Bluetooth or GPS technology to trace and alert individuals who have come in close contact with anyone who has been diagnosed with COVID-19.

The alerted individuals will then be advised to self-quarantine until they are tested or 14 days has lapsed with no symptoms. As any self-quarantine performed will be targeted and risk-based, it is hoped that the further spread of COVID-19 will be quickly contained and that the rest of the population will be able to go about their daily life and contribute to the economy as usual.

What are the key data protection issues?

Due to the potentially sensitive nature of the personal data processed by app providers, one of the key privacy concerns will be to ensure that any personal data collected is anonymised, secure, not easily re-identified and kept for no longer than necessary.

The technology framework proposed by an alliance between Apple and Google took the 'de-centralised' approach, meaning the matching and tracing of at-risk individuals would occur on individuals’ mobile handsets rather than via a centrally-held database. It was intended that this approach would mean that no other person had access to an individual’s data and would minimise the risks that a bad actor could access or misuse the centralised data.

Governments in some countries (including the UK) however are concerned that the de-centralised approach means that the health authorities will not be able to have real-time oversight over the spread of COVID-19 and the effectiveness of the app.

Whether 'centralised' or not, the Information Commissioner has emphasised the critical importance of data protection by design and default requirements under Article 25 of the GDPR, the data minimisation and storage limitation principles under Article 5(1), and data subject rights generally under the GDPR. The Information Commissioner also asks developers working on contact-tracing projects to consider the following key questions:

  • Have you demonstrated how privacy is built into the processor technology?
  • Is the planned collection and use of personal data necessary and proportionate?
  • What control do users have over their data?
  • How much data needs to be gathered and processed centrally?
  • When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing that is to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
  • What happens when the processing is no longer necessary?

What does the ICO think about contact-tracing apps?

Since the beginning of the pandemic, the Information Commissioner's Office has been supportive of the innovative use of data to fight COVID-19, provided that the principles of transparency, fairness and proportionality are applied in accordance with GDPR. The ICO has reviewed the framework built by Apple and Google and acknowledged that the technology appears to be aligned with data protection principles. Information Commissioner Elizabeth Denham appeared before the Human Rights Joint Committee this week, alongside the CEO of the digital arm of the NHS (NHSX), Matthew Gould, with a series of best practice recommendations.

However, it would also be possible for app developers to misuse the technology and process data for longer periods of time than necessary, for unintended purposes, or to subsequently expand the scope of an app after release. The ICO will therefore continue to monitor the development of contact-tracing apps and provide further opinions where necessary, in particular by working closely with, and continuing to support, the NHSX app as it is developed, rolled out and utilised.

NHSX’s proposal

NHSX is expecting to roll out a trial of its own contact-tracing app this week to the Isle of Wight. The app works by using Bluetooth to log the distance between a user’s phone and other phones nearby that also have the app installed. If a user becomes unwell, they can choose to allow the app to inform the NHS, which may trigger an anonymous alert to other app users who the user came into significant contact over the previous few days.

NHSX has rejected the framework proposed by the Apple-Google alliance (although NHSX states that it is still working closely with both companies to develop its app), citing performance reasons and functionality issues, and has instead initially preferred a centralised platform where contacts are represented by an anonymised 'identifier'. The centralised approach would mean alerts are sent to a user's phone from the NHSX server, whereas Apple and Google’s de-centralized approach would involve direct communication between devices (and these alerts would not be logged centrally).

To address cyber security concerns, NHSX has invited the National Cyber Security Centre to provide expert advice and GCHQ has also been enlisted to support and protect NHS digital infrastructure as required to address COVID-19. Matthew Gould, the CEO of NHSX, has emphasised key 'privacy first' measures within the app to protect personal data:

  1. No registration information (other than the first half of a user’s postcode to provide a ‘fuzzy’ location) is required, so the app does not know who you are, who you have been near or where you have been
  2. Use of the app is voluntary at several stages, including the ability to delete the data at any point
  3. The app is part of the government’s 'test and trace' strategy, and sits alongside traditional strategies to protect more people than just the app users
  4. The app has been developed transparently, with open-source code, and published privacy models.

Wider uses of technology and big data

In addition to the NHSX app, big data is continuing to play a vital role in tracking the impact of coronavirus both globally and within the UK. Data sources such as Citymapper's Mobility Index continue to evidence the significant reduction in travel within major cities during the pandemic, and Google’s COVID-19 Community Mobility Reports are providing an insight into our changing day-to-day movement patterns. Separately, the C-19 Symptom Tracker designed by King’s College London has more than three million users contributing to its joint research project, which focuses on app users providing details of their COVID-19 symptoms, identifying high-risk parts of the UK in order to prevent further outbreaks.

The view from Europe

On 16 April the European Commission published its own guidance on data protection issues in relation to contact-tracing apps. This guidance is not legally binding and only applies to apps where an individual’s consent to the app using their data is given voluntarily.

The guidance covers key areas including:

  • The recommended controller under GDPR being the relevant national health authority, who should be fully involved and consulted when developing a contact-tracing app, with its deployment subject to ongoing review
  • Detail surrounding the legal basis and purpose for processing
  • Storage limitation and procedures around limiting access to and disclosure of data
  • The security and accuracy of the data collected.

The Commission's guidance takes into account the views of the European Data Protection Board (EDPB), which stresses the EDPB’s belief in the importance of data protection impact assessments detailing all the relevant privacy by design and privacy by default being built into any new contact-tracing application.

Mr Wojciech Wiewiórowski, the European Data Protection Supervisor (EDPS), stated that an EU-wide single app with strong data protection standards would be the 'best solution to the coronavirus pandemic' alongside ongoing cooperation with the WHO to develop an effective response to track the spread of the virus. Within his remarks, the EDPS confirmed his belief that the route was compliant with GDPR, which allows the processing of sensitive private information for the interests of public health. The EU’s eHealth Network has also released a 'toolbox' for Member States providing guidance in relation to contact-tracing apps.

A way forward?

The efficacy of any contact-tracing app will be highly dependent on uptake and proper usage. In the UK, this would mean users reporting any symptoms or test results and following any quarantine instructions. New devices may also need to be rolled out to vulnerable individuals without a suitable smartphone.

However, the development and use of contact-tracing apps represent a tangible way in which technology and data can be used to stem the effects of the pandemic and ease lockdown. As long as developers continue to comply with their obligations under GDPR and heed the ICO's guidance, this should result in a powerful tool to help our society take steps back towards normality.

If you have any data protection or technology queries about this subject, please contact David Varney or Lucy Pegler in our Data Protection team.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more