Reassurance on privacy of contact-tracing app remains ‘crucial’

Reassuring people about data protection and their privacy in relation to the NHS contact-tracing app remains “crucial”, an MP has said.

Harriet Harman, chair of parliament’s joint human rights committee, has written to health secretary Matt Hancock requesting further clarification on how data will be collected and used by the app.

It follows the government’s decision on 18 June to switch to Apple and Google’s contact-tracing model. The U-turn will see the government switch from a centralised to a decentralised approach, meaning data will be shared between devices rather than sent to a central database.

“Whilst some specific concerns may be alleviated by the switch to a decentralised digital contact tracing app, it is still crucial that people in the UK should be able to feel reassured that their data protection, privacy and non-discrimination rights are protected in any contact tracing system,” Harman wrote.

Further information on whether parts of the app will be mandatory; what information people will be required to provide; and how data will be collected, gathered and stored was requested in the letter, sent on 24 June.

A Department of Health and Social Care spokesperson said: “Protecting the privacy of users remains our absolute priority as we work to develop the new app, including carefully considering what personal data users would be asked to share for public health purposes and ensuring the app upholds the highest security and privacy standards.

“We will respond to the Committee’s letter in due course.”

The joint human rights committee in May drafted a bill calling on the government to define the purposes for which contact-tracing app data can be gathered; prohibit its use for other purposes; and require the data system’s security to be certified by GCHQ.

The committee also called for the establishment of a Privacy Tzar to monitor the apps use, as well as deal with complains.

Members warned that the government must not roll out the app unless sufficient safeguarding measures were in place, including: primary legislation assuring privacy protections and outlining data use; independent oversight of the app; and efficacy reviews by the health secretary every 21 days.

They found current law was unsatisfactory, labelling it a “mishmash spread across the GDPR, the Data Protection Act 2018, Article 8 European Convention on Human Rights and caselaw on the right to privacy” and called for bespoke legislation relating to privacy and data protection.

NHSX has always maintained that data would be anonymised and only used for the purposes of contact-tracing, with a portion kept for research purposes. But concerns relating to privacy heightened after it emerged the data would be kept for 20 years.

A majority of privacy concerns raised by campaigners and experts revolved around NHSX’s decision to develop a centralised contact-tracing app.

A centralised system posed greater data protection risks and mission creep, they argued, instead favouring a decentralised system like Apple and Google’s technology.

Despite concerns about privacy, NHSX launched a trial of its contact-tracing app on the Isle of Wight in the first week of May. In the weeks following reports suggested the NHS was working on a second version of the app using Apple and Google’s APIs.

After six weeks of silence about the outcome of the trial, and the expected national roll-out, the government announced on 18 June is was abandoning its version of the app and switching to Apple and Google’s technology, confirming they had been working with the technology giants since early May.

To date the app has cost £11.8 million.