Coronavirus: Contact Tracing App is Privacy-Secure, but Still Has Issues
24 Sep 2020
Today the NHS COVID-19 app was launched. Early indications show that the developers have learned a lot from earlier mistakes and that this time they have got things right. This will undoubtedly be an important tool in the fight against coronavirus in England and Wales, and the DMA welcomes this development.
Unlike previous apps for registering your visit to a pub, restaurant or other venues, this is obviously not commercial and data will be used only for COVID tracing and research. The app is aimed at individuals rather than the business. Only the minimum amount of data is collected, and it is held locally on the smartphone instead of centrally like the NHS app that was trialled in the Isle of Wight.
The Privacy Notice is available online and goes to some length to reassure people about the anonymity and use of their data even linking to a section devoted to explaining the data journey and how data is used in each of the various scenarios. For those who want to delve even deeper into the detail, you can read the Data Protection Impact Assessment.
Further reassurance about the privacy, transparency and security can be found on the ICO website in the form of a rather positive sounding blog post.
It would appear, at this early stage that this time NHS has got the app right, and the DMA is content that it adequately protects the privacy of its users. The public can be comforted that they can download this app and contribute to reducing the spread of coronavirus.
However, there are indeed other considerations, which will no doubt impact the use and effectiveness of the app.
First, the fact remains that the initial attempts at developing this app have been ineffective. The trial of the original app on the Isle of Wight was plagued by functionality issues and did not inspire confidence in its use.
Second, the subsequent delay to introducing the app meant that the UK Government’s contact tracing efforts were less effective, further undermining public confidence in the UK Government to deliver an effective, secure and privacy-respecting app. Ultimately, public and industry trust in the delivery of this policy has plummeted.
Importantly, there is an issue with the app’s wider contact tracing functions. The UK Government app has a number of functions, beyond proximity-based contact tracing. One of these functions helps venues and businesses that need to keep details for contact tracing purposes by providing a QR code, whereby users of the app can register their details with the establishment.
For visitors who have the app, this will be an effective measure for businesses contact tracing obligations. However, estimated uptake of the app within members of the public is likely to be between 20%-30%. For the remaining 70%-80%, the venue or business still has the legal obligation to gather data.
Therefore, venues and businesses will still need to have other methods of gathering data, whether that be a secondary tech solution or using pen and paper.
There is the obvious danger that businesses and venues will fail to understand that the venue contact tracing service of the NHS app does not cover all their legal obligations for gathering people’s data.
Ultimately, the lack of clarity in the app’s particular function in venue-based contact tracing risks further undermining public trust in the app.
Information from the government will be needed to combat the inevitable confusion over which app or tracing system to use because so many are now in place. What about venues that already display a QR code of their own, should they now display two codes? What about people that only want to use the NHS app and not a proprietary app that may also use data for marketing?
While the UK Government can be confident in assuring privacy and effectiveness of the proximity contact tracing function, It will take a very impressive PR campaign to convince people to use this app in the numbers that it needs to be the most effective.
The DMA will continue to work with government and business to aid them in implementing the correct processes for their contact tracing obligations.
An app update:
On the day following its release, we saw further mistakes made, as it turned out negative NHS COVID tests could not be inputted to the app to stop the ‘isolation countdown’, allowing people to end their period of quarantine. Only tests from private companies worked.
The problem was fixed within a day but, in terms of ideating, creating and delivering of a policy in a crucial time, it has been—to be diplomatic—a poor performance from the department of health and the UK Gov.