The data protection impact assessment for the NHS contact-tracing app reveals “significant issues” that leave the app “falling short of data protection legislation”, a data law expert has claimed. 

Michael Veale, a lecturer in digital rights at University College London, examined the assessment and found it does not comply with UK law on anonymity and access to data.

The assessment on the trial of the app in the Isle of Wight claims the data shared with the app is anonymous and is only uploaded with a users permission, but Veale suggests this is not the case in practice.

In a paper analysing the assessment he wrote: “The document (and associated public messaging) must be changed throughout to reflect the fact that it is not the case that personal data about a user is only uploaded with a user’s permission, as other people upload data revealing a user’s social interactions.”

Referring to NHSX’s claims the app is “designed to preserve the anonymity of those who use it” by not collecting identifiable information like names, phone numbers and NHS numbers; will not involve the disclosure of information that reveals users identities; and will be used anonymously to encourage contacts to self-isolate, Veale said the assessment is “legally misleading”.

“These statements are legally misleading, and contradictory to later admissions in the DPIA [Data Protection Impact Assessment]. The NHSX app does not preserve the anonymity of users, as it primarily processes pseudonymous, not anonymous, personal data. Anonymous information is only that which is not personal data,” he wrote.

“The data in the NHSX app is ‘capable’ of revealing an individual’s identity. Whether NHSX intend to do this is not a relevant question from a legal stand point, the question is whether it reasonably could.”

The contention arises with the processing of identifiers unique to an individual, he explains. Though a personal identifier may be created to be unique to a user and not identifiable by another use, it still falls under the definition of personal data – meaning it’s not anonymous.

Though NHSX states the provision of personal data is not obligatory issues with consent arise, Veale continues.

“The main flaw in this argument is the NHSX system is designed such that identifiable personal data which relates to adevice ID is uploaded by other users about the data subject by design, not just the data subject themselves.

“Take a trivial example. Three users sit in a cafe, one on a table by themselves and two on a table next to each other. The one on a table by themselves later uploads data after declaring/testing positive.

“Therefore, a third party uploads personal data describing a connection between two other people, without the specific consent of the users concerned. This does not happen in e.g. a decentralised system, as users never upload information about other people.”

NHSX’s decision to differ from Apple and Google’s approach to contact tracing by creating a centralised system has raised concerns, particularly around privacy.

But Matthew Gould, the organisations chief executive, has consistently maintained a centralised approach provides significant benefits in creating social data graphs to track the virus.

The right to be forgotten

The app appears to “deny people access to the right erasure”, or the right to be forgotten, without a “specified lawful reason”, Veale said.

Gould has publicly stated a user can delete the app and any data it has collected on their device whenever they decide they no longer want to be involved in contact-tracing.

But this will not apply to the backend of the app, according to the assessment.

“In combination, this appears to imply that users will be unable to delete their data, or make a request to do so. There may be a lawful basis that can be established for denying an erasure request, however this is not specified,” Veale wrote.

The assessment also reveals users cannot access any information about themselves shared with the app, raising concerns around the right to access as outlined under GDPR, Veale adds.

The ID of a user has been “deliberately buried in the app, and not surfaced to the user”, Veale states, effectively depriving them of their rights.

He goes on to explain this type of practice is “arguably in violation” of GDPR, requiring the rights and obligations of data protection law to be designed into the systems a data controller builds.

“In this case, they have been designed out,” he said.

A trial of the app was launched on the Isle of Wight last week, with a further roll-out expected across the UK this month.

Privacy and data protection concerns have been front and centre of the development of the app, with privacy campaigners and experts raising concerns about contract-tracing becoming a tool for mass surveillance.

NHSX has been contacted for comment.