The government could soon be required to provide legal assurance on the use of data gathered by the Covid-19 contact-tracing app, including the establishment of a Privacy Tzar.

Parliament’s Human Rights Committee has drafted a bill calling on the government to define the purposes for which contact-tracing app data can be gathered; prohibit its use for other purposes; set out who has access to the data; and require the data system’s security to be certified by GCHQ.

The draft bill was sent to health secretary Matt Hancock on 7 May, following a report on ‘Human rights and the government’s response to Covid-19’ which was published on 6 May.

The letter stated the current law was unsatisfactory, labelling it a “mishmash spread across the GDPR, the Data Protection Act 2018, Article 8 European Convention on Human Rights and caselaw on the right to privacy” and called for bespoke legislation relating to privacy and data protection. In a response letter Hancock provides assurances that data protection is a prioroty, but said he didn’t believe legislation was necessary.

Last week, MP and chair of the committee Harriet Harman presented the draft bill to the House of Commons. The committee is awaiting response from leader of the house, Jacob Rees Mogg, on whether it can be presented as a private members bill.

In a briefing to journalists today Harman said assurances don’t “cut the mustard”, adding: “We don’t want the system to rely on the individual integrity of any minister, or any ministerial team, or any government… the way to have protections is to put them in law.

“This is easy and straightforward to do, so the question is ‘why would the government not be prepared to do it?'”

If the bill becomes law the government would be required to set up an independent contact-tracing app Privacy Tzar to monitor its use and deal with complaints.

Government would also be required to report to parliament on the app every three weeks and to delete the data collected after the pandemic.

“We cannot rely on the current, failed, mishmash of protections that were never envisaged for this situation,” Harman said.

“We need new legislation. Government collection of our movements and physical contacts would have been unconscionable before, but now it is happening.

“Big powers demand big safeguards. The government should not resist their assurances being put into law. Parliament completed emergency legislation for new powers. It can do it now for new protections”

In its report earlier this month, the committee found the introduction of the ethics advisory board, established to oversee the development of the app, was “welcome but insufficient”.

Members warned that the government must not roll out the app unless sufficient safeguarding measures were in place, including: primary legislation assuring privacy protections and outlining data use; independent oversight of the app; and efficacy reviews by the health secretary every 21 days.

They also called for clearer language around data protection, suggesting current frameworks were “nearly impossible for the public to understand”.

User uptake and interoperability with other countries apps will impact the apps efficiency, it was found.

“The amount of data the contact tracing app requires on the private and family lives of individuals is not justifiable if the app does not contribute meaningfully to the easing of lockdown restrictions and the combatting of Covid-19,” the report concluded.

“Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation.”

A spokesperson for the Department of Health and Social Care said: Our goal is to protect the NHS and save lives – and the NHS Covid-19 app will significantly speed up our ability to trace and stop the spread of the virus. The app is a key part of our wider strategy of testing and tracing, and will enable us to alert those most at risk of infection so they can take action to protect themselves, the people they care about and the NHS.

“Security and privacy has been a priority in all stages of the app’s development and the minimal amount of data that is collected will be anonymised and only used for the purpose of helping the NHS protect public health.”

Fierce criticism

Privacy and data protection concerns have plagued the contact-tracing app since its development began. Experts globally have warned that contact-tracing apps risk hampering public trust, which will result in low uptake.

NHSX, which is developing the app, has been heavily criticised for opting for a ‘centralised’ model that relies on self-reporting of symptoms, which has a greater risk of data poisoning and false positives.

Its own ethics advisory board has warned unreliable contact-tracing apps could provide a false sense of security and therefore increase the spread of Covid-19.

Parliament’s Science and Technology Committee has warned the government cannot rely on the use of a contact-tracing app to ease social distancing measures. In a letter to Prime Minister Boris Johnson chair Greg Clark said it is “critical” that capacity for contact-tracing is advanced for “further stages of managing the epidemic”.

Concerns around security have forced NHSX to look at developing a second app to run “in parallel” with the currently available one, this time based on Apple and Google’s ‘decentralised’ model, see as safer by privacy experts.

Its chief Matthew Gould has maintained that a centralised approach offers benefits that don’t impact privacy, including the detection of malicious use.

The app is currently being trialled on the Isle of Wight, with further roll out across the country now looking like it will be delayed. Health Secretary Matt Hancock has previously stated the app will be widely available by mid-May, but Number 10 has now said the app will be available in the coming weeks.