NHSX and COVID-19: May we have some privacy, please?!
[Note 1: Since writing this article, the UK Government has announced a U-Turn on its approach to the track-and-trace app, ditching its own developed app in favour of the Apple/Google device-centric app.]
[Note 2. Since writing this article, it has surfaced that the Apple/Google app has already been installed in the majority of IOS and Android devices, in the background, via regular software updates. The app is turned-off and can be turned on by users at any time]
The UK government has made repeated claims that new technology will be the key to defeating COVID-19 in the United Kingdom. Yet, months into the pandemic, nothing substantial has been implemented across the United Kingdom with experts citing privacy concerns as a main sticking point.
At the heart of the COVID-19 track and trace App that the NHS has developed there are concerns about data privacy. The government sustains that the app adheres to the highest safety standards and will be world leading when released to the general population. However, some of the choices made seem to actually undermine this ambition.
Contrary to other models recommended by technology companies such as Apple and Google – phone-centric distributed data models that minimise privacy concerns – the approach taken by the NHS contact tracing app relies on data being stored in a centralised database. While the direct identity of users (e.g. their phone numbers) will be hidden, the NHS app matches Bluetooth data with an Installation ID which is unique to every phone. There is, therefore, a very thin line protecting the identity of the users – some claim the line is so thin, this data will not really be anonymised.
Michael Veale, Lecturer in digital rights and regulation at UCL, has published his ‘Analysis of the NHSX Contact Tracing App ‘Isle of Wight’ Data Protection Impact Assessment’. In his paper, Veale identifies three ways in which the data ca be used to identify an individual. Veale concludes that ‘a centralised system is always a tiny step away from identification’ whereas ‘a decentralised app isn’t’.
NHSX is the UK Government unit with responsibility for setting national policy and developing best practice for National Health Service technology, digital and data, including data sharing and transparency. In a document titled ‘The power of data in a pandemic’, the head of NHSX, Matthew Gould, details plans of how the NHS will use data to combat the pandemic – NHS England will create a data store which will bring the data collected throughout the pandemic together into one location.
A big data approach can be indeed very effective to enable quick identification of trends and to pinpoint regional spikes. However, there are concerns about who will be able to access this data. The NHSX document states that ‘all NHS data in the store will remain under NHS England and NHS Improvement’s control’. However, it also says NHSX and NHS England ‘have built a backend data store on Microsoft’s cloud platform, Azure, to bring multiple data sources into a single secure location’. Under the 2018 Cloud Act, US agencies can demand access (with a warrant) to information stored by American tech companies, even when this data is stored outside of the US.
Does all of this really matter if this approach will save lives? This brings us to the final problem: will the app really save lives? In the Isle of Wight, where the app is being tested, there are reports of people waiting up to 72 hours for the results of an antigen test. The longer people have to ‘self-isolate’ without knowing if actually they need to, the less likely people will do it in the post lock-down period.
In conclusion, the approach chosen by the UK Government appears to put probable effectiveness – ‘world beating’ in the works of the Health Secretary, Matt Hancock – above risks concerning privacy. Sadly, in this case, there is a still a way to go to live up to that claim.