The data protection impact assessment for the NHS contact-tracing app reveals “significant issues” that leave the app “falling short of data protection legislation”, a data law expert has claimed.
Michael Veale, a lecturer in digital rights at University College London, examined the assessment and found it does not comply with UK law on anonymity and access to data.
The assessment on the trial of the app in the Isle of Wight claims the data shared with the app is anonymous and is only uploaded with a users permission, but Veale suggests this is not the case in practice.
In a paper analysing the assessment he wrote: “The document (and associated public messaging) must be changed throughout to reflect the fact that it is not the case that personal data about a user is only uploaded with a user’s permission, as other people upload data revealing a user’s social interactions.”
Referring to NHSX’s claims the app is “designed to preserve the anonymity of those who use it” by not collecting identifiable information like names, phone numbers and NHS numbers; will not involve the disclosure of information that reveals users identities; and will be used anonymously to encourage contacts to self-isolate, Veale said the assessment is “legally misleading”.
“These statements are legally misleading, and contradictory to later admissions in the DPIA [Data Protection Impact Assessment]. The NHSX app does not preserve the anonymity of users, as it primarily processes pseudonymous, not anonymous, personal data. Anonymous information is only that which is not personal data,” he wrote.
“The data in the NHSX app is ‘capable’ of revealing an individual’s identity. Whether NHSX intend to do this is not a relevant question from a legal stand point, the question is whether it reasonably could.”
The contention arises with the processing of identifiers unique to an individual, he explains. Though a personal identifier may be created to be unique to a user and not identifiable by another use, it still falls under the definition of personal data – meaning it’s not anonymous.
Though NHSX states the provision of personal data is not obligatory issues with consent arise, Veale continues.
“The main flaw in this argument is the NHSX system is designed such that identifiable personal data which relates to adevice ID is uploaded by other users about the data subject by design, not just the data subject themselves.
“Take a trivial example. Three users sit in a cafe, one on a table by themselves and two on a table next to each other. The one on a table by themselves later uploads data after declaring/testing positive.
“Therefore, a third party uploads personal data describing a connection between two other people, without the specific consent of the users concerned. This does not happen in e.g. a decentralised system, as users never upload information about other people.”
NHSX’s decision to differ from Apple and Google’s approach to contact tracing by creating a centralised system has raised concerns, particularly around privacy.
But Matthew Gould, the organisations chief executive, has consistently maintained a centralised approach provides significant benefits in creating social data graphs to track the virus.
More on Covid-19 contact tracing apps
- NHSX sets up ethics advisory board to oversea contact-tracing app
- Contact-tracing apps could ‘catastrophically’ hamper trust, academics warn
- Imperial white paper outlines key data questions for contact-tracing tech
- ‘Absence of evidence’ for Covid-19 contact-tracing apps, review finds
- NHSX must be ‘upfront’ about contact-tracing app, privacy group says
- NHSX differs with Apple and Google over contact-tracing app
- Data from NHS contact-tracing app ‘to be kept for research purposes’
The right to be forgotten
The app appears to “deny people access to the right erasure”, or the right to be forgotten, without a “specified lawful reason”, Veale said.
Gould has publicly stated a user can delete the app and any data it has collected on their device whenever they decide they no longer want to be involved in contact-tracing.
But this will not apply to the backend of the app, according to the assessment.
“In combination, this appears to imply that users will be unable to delete their data, or make a request to do so. There may be a lawful basis that can be established for denying an erasure request, however this is not specified,” Veale wrote.
The assessment also reveals users cannot access any information about themselves shared with the app, raising concerns around the right to access as outlined under GDPR, Veale adds.
The ID of a user has been “deliberately buried in the app, and not surfaced to the user”, Veale states, effectively depriving them of their rights.
He goes on to explain this type of practice is “arguably in violation” of GDPR, requiring the rights and obligations of data protection law to be designed into the systems a data controller builds.
“In this case, they have been designed out,” he said.
A trial of the app was launched on the Isle of Wight last week, with a further roll-out expected across the UK this month.
Privacy and data protection concerns have been front and centre of the development of the app, with privacy campaigners and experts raising concerns about contract-tracing becoming a tool for mass surveillance.
NHSX has been contacted for comment.
15 May 2020 @ 09:02
This is one person’s interpretation of untested law: let’s not get carried away and trash a worthy project. As with all software in a beta phase, there is opportunity to address any flaws (right of access, right to be forgotten) before it’s released on a wider scale.
16 May 2020 @ 14:34
I doubt whether it would be possible to address any of the “flaws” outlined in the paper at a later date – especially as the back-end functioning of the track & chase mechanism appears to depend on them!
Veale’s paper is an analysis of the DPIA, not of the software itself – as he makes clear.
Unfortunately the reputation of the NHS (IC through Didital to NHSX) for managing & observing patient data & confidentiality has been somewhat tarnished by care.data…
14 May 2020 @ 18:56
Exactly what one expects from the NHS. They have been flouting data protection law for years and appear to believe that nobody can stop them. They might well be right as the regulators and all levels of governance are colluding in this.
16 May 2020 @ 15:14
I agree with this comment by Mary Hawking, except insofar as the reference to Care.data would seem to suggest that Care.data was a mistake in the past that has unfortunately left the reputation of the NHS tarnished – as though they have changed the direction of their policies since then. The NHS has certainly tried to give this impression, but that is deliberate duplicity. The whole programme of abolishing privacy and patient choice, and of harvesting the valuable commodity of patient-level, integrated, lifelong health and care records and using them (a) to control how patients engage with the NHS and (b) to promote the growth of the digital economy by harnessing healthcare to industry, is simply the extrapolation of the “mistake” of Care.data. Like the flaw in the NHS app, the “flaws” in policy around health records are in fact the whole point of the policy – notwithstanding all the propaganda to the effect that it is all about improving healthcare. The truth is quite the reverse. It is about downgrading healthcare in order to reduce the cost.