Data collected by the NHS contact-tracing app could be fed into the health service’s Covid-19 data store, according to a government document released last week.

The data protection impact assessment (DPIA) on the store, managed by controversial firm Palantir, provides the first look at how data will be collected to inform the NHS and government response to the pandemic.

It reveals that Pivotal, the company responsible for developing the contact-tracing app, will have access to the data store.

“An admin account will be temporarily created for NCC Group (Cyber Security Experts) and Pivotal, the third-party supplier contracted to deliver the Covid-19 app and penetration testing,” the DPIA states.

“They will have read only access and once the application has been delivered, this account and access will be terminated. Following this, an SQL [Structured Query Language] account will be created which the application will use to read/write the database for certain task(s). This will restrict unwarranted access.”

In April, NHSX and NHS England revealed they were working with big tech companies, including Microsoft, Amazon Web Services, Google and Palantir, to develop a data platform to better inform the national response to coronavirus.

Pivotal and NCC do not have a direct role in the data store but are responsible for elements of the contact-tracing app, suggesting data from the app will at some point feed into the store.

This raises several questions around transparency, according to Professor Eerka Boiten, professor in cyber security at De Montfort University in Leicester.

Speaking to Digital Health News, Boiten flagged concerns over Pivotal being granted an admin account if they’re only given permission to read data, adding it was a “bit bizarre” as an admin account suggests other permissions could be granted.

He criticised NHSX and the DPIA for failing to address what “certain tasks” the application would be allowed to do once an SQL account is created.

“Why are they being vague about ‘certain tasks’, it’s a little bit worrying that they see no need to be precise about this,” he said.

Yet, according to Boiten, it is “entirely rational” that data from the app should feed into the data store, which was established to aid government planning in response to Covid-19.

“They want information about how the pandemic is spreading in various areas in order to plan the response, this datastore is supposed to be the central place where all the planning is done,” he told Digital Health News.

“So it would be irrational, if not foolish, to say we are going to get data from the app for planning but not put it in the place where we do all our planning.”

But the app is missing from the DPIA’s list of 35 data subsets that will feed into the data store.

Boiten suggests this is because it “doesn’t make sense” for the app to run directly into the data store, given the data it collects is already running through a centralised database.

But he adds little is known about the server side of the app, making it difficult to understand how the data will feed into the store.

“The main worry I have with it is this DPIA is mostly about getting all the data together but not really about what they’re going to do with the data,” Boiten said.

“This [the DPIA] doesn’t tell us much. It’s transparent on the collection but not really on the using of data.”

A spokesperson for NHSX said: “The data protection agreement has been published, and we will close down the app once the threat from the pandemic has passed, with any data users have chosen to share deleted at that point and some retained for research purposes, to better understand the virus.”

They also said the data is owned by the NHS and third party companies are not permitted to use or share it for their own purposes, as set out in their contracts.

“This project is helping us tackle coronavirus, by helping track information about where demand is rising and where critical equipment needs to be deployed, and strict data protection rules apply to everyone involved in helping in this important task,” they added.

“The companies involved do not control the data and are not permitted to use or share it for their own purposes, with any intellectual property owned by the NHS and contracts strengthened following review as appropriate.”

The data will be processed by Palantir using the company’s Foundry platform. Data accessed by Palantir would be aggregated and de-identified to “mitigate the risk of identification”, according to the DPIA.

NHSX has always maintain that data collected by the app would be deleted if a user chose to remove the app, but in May a spokesperson confirmed a portion of data collected would be kept for research purposes.

Faculty AI, which has links to Dominic Cummings and was hired to work on the Vote Leave campaign, is also working with the NHS on the data store to use artificial intelligence to support the national response to coronavirus. The company is not mentioned in the DPIA.