The contact-tracing app U-turn “shouldn’t distract us” from pressing the government for clearer information on how it is using health data, a cybersecurity and privacy expert has warned.
Professor Eerke Boiten, professor in cyber security at De Montfort University in Leicester, raised concerns about the companies with “strong political connections” that have access to the data.
“Even if the app never gets off the ground, that shouldn’t distract us from seeking more insight into what the government and a few companies with strong political connections are still doing with our health data,” he wrote in The Conversation.
In parallel to the app, NHSX has been developing a data dashboard to manage all the Covid-19 data collected to inform the UKs response to the virus.
According to Boiten the choice of partners for the programme were “worrying”.
He added the data protection impact assessment (DPIA) later released for the app was “unsatisfactory” and lacked justifications for holding the data on a centralised database.
“But while it appears the app is off the table – or at least that England and Wales will get a more privacy respectful one run by internet giants – there’s still reason to be concerned about NHSX’s use of patient data and how it’s being shared with private firms,” he wrote.
“Palantir’s original contract was published under legal pressure but its renewed contract has not. In particular, we do not know whether NHSX is paying Palantir properly this time.
“We also know more clearly that there’s a lot that we’re not being told, as the government has only published a DPIA for data being combined and stored but not for how it is then being used for planning, including possibly through AI.
“The DPIA only assesses Palantir’s role for data storage, and yet the firm’s original contract also mentions ‘data analytics, ‘support tracking, surveillance, and reporting’, and none of that is covered in the document. It also doesn’t mention Faculty, which says it is working on data dashboards and modelling as part of its contract with NHSX.”
Boiten raised concerns that consultation with stakeholders and external experts was not completed for the DPIA, despite it being recommended practice.
“Overall, that leaves us in a position where we do not know what Palantir, Faculty and others are doing with NHS medical data. We do not know whether the risks of abuse of the data have been properly recognised and mitigated,” he added.
“But we do know that this kind of database is not protected against access by intelligence services.”
Boiten was one of hundreds of academics who in April signed an open letter asking NHSX about its plans for the app, warning it could “catastrophically hamper trust” if it became a tool for “large scale data collection on the population”.
“There was no publicly available information on how the app would work or keep the data secure, and it was not clear that it would work at all. There was also no justification for the choice of a centralised data matching model that was intrinsically riskier to privacy.”