Whilst a contact tracing app may be a much-needed weapon in the fight against COVID-19, does it come at a cost to our privacy? The delayed and redesigned NHS COVID-19 App (NHS App) launched last Thursday and has been downloaded more than 14 million times. This blog follows our  and  Perspectives where we outlined data protection concerns.

Proximity vs location

Using Bluetooth, the NHS App processes proximity data to determine users’ potential exposure to someone with COVID-19. Bluetooth data has been favoured over GPS data by most countries as it does not track users’ actual location, which would carry greater privacy risks and the possibility it could lead to their identification.

Bluetooth

The NHS App works by generating a random daily code for a device. This code produces and emits a secondary code every 15 minutes. The App exchanges the secondary codes, via Bluetooth, with nearby devices running the App and records these exposures for 14 days before deleting them. If a user tests positive, they can opt to share their daily codes with the Department of Health and Social Care’s (DHSC) central server, which will in turn send their relevant codes to all NHS App users’ devices. An alert will then be triggered to those users who the infected person has been near, telling them to self-isolate. This frequent regeneration from a random code aims to preserve anonymity, although the NHS Privacy Notice acknowledges “if an app user had only been in contact with you and no one else, they would be able to infer who the infected person was when they received an alert”. Notably, the alert to self-isolate is not legally enforceable as it is based on probable rather than confirmed exposure. Users may ignore this alert and face no fine, arguably impacting on the App’s efficacy.

Where is the data stored?

The NHS App operates a decentralised system, offering greater user privacy. It is stored on the users’ device with only a central server holding the anonymised daily codes of COVID-19 positive users, relying on the exposure notification API developed jointly by Apple and Google. The earlier, now abandoned, version of the NHS App was based on a proprietary centralised system of data collection.

QR codes

The NHS App also allows users to ‘check-in’ to venues, such as pubs and restaurants, by scanning a QR code. The venue name, date and time of entry are stored on users’ devices for up to 21 days and this list is visible to the user, who may delete entries. The Data Protection Impact Assessment (DPIA) insists that using QR codes to check-in at venues is a more robust privacy preserving mechanism than signing-in with a pen and paper. This feature, however, has raised concerns that it could operate as a quasi-location tracker revealing where a user has been and when. Further, it is possible that fake QR codes could be used for hacking devices.

Personal data

The NHS app processes data that is considered ‘personal data’ as it is stored on a user’s registered device and may include the following:

  • postcode district
  • data from QR code scans
  • the daily and secondary codes
  • symptom information
  • if requested, the test code and result.

Before any data is shared by a user with the DHSC’s server, it is anonymised and thus not classed as personal data. The only exception are test codes and results, which are held for 24-48 hours. However, while the NHS app’s DPIA is adamant that the Apple/Google exposure notification identifiers are considered “anonymous”, the DPIA recognises that personal data and identifiers are processed in the context of COVID-19 testing and results linking.  

Processing personal data is protected under the GDPR(1), and so to operate legally the NHS App purports to rely on:

  • explicit user consent (users voluntarily choosing to share daily codes if infected);
  • the processing being necessary for a public health interest(2); and
  • that the app’s processing of data is proportionate to its aim

Data minimisation

The NHS App attempts to limit the scope of its data processing, for example using proximity over location tracking, stores data on users’ devices and purports to anonymise user data.

Under the GDPR the length of time data is stored must be for no longer than necessary. In this context:

  • the exposure log deletes every 14 day and the venue log every 21 days. 21 days may be an unnecessarily long period of time to hold venue log data; DHSC’s justification being that this accounts for both the 14-day incubation period and the 7-day infectious period of the virus(3)
  • the test codes that link a user’s test result to their App are held on the DHSC server and are deleted within 24 to 48 hours
  • users can delete the App at any time, they can also choose to delete the data held on the App or the venues they check into.

Certain data sets, however, are excluded from the scope of the GDPR in the App’s DPIA. “Analytical data”, such as the device type, operating system version, half of the user postcode, exposure notification status and COVID-19 test results, may be held for anywhere between 5 to 20 years.

Conclusion

The second iteration of the NHS App appears to comply with data protection laws, having shifted to the Apple-Google exposure notification API which received positive feedback from the ICO. Some concerns, however, may remain around data minimisation.

That the App has been downloaded millions of times suggests that the public may be willing to accept limited privacy intrusion. This is perhaps unsurprising as many social media apps collect a far greater amount of personal data (including name, email addresses, shared pictures and location tracking), have been subject to hackings, retain for long periods and share the data with third parties.

Will the App help the fight against COVID-19? Whilst one report estimated a functioning App with 15% uptake could reduce deaths by 11%, the efficacies remain to be seen.

With thanks to interns Ben Evans and Adel Msolly for their assistance with this blog. 

(1) General Data Protection Regulation. In the UK, certain GDPR provisions are specified further via the Data Protection Act 2018 (DPA).

(2) GDPR Article 6(1)(e); GDPR Article 9(2)(g),(h),(i); DPA 2018 – Schedule 1, Part 1, Section 2(2)(f) and Section 3.

(3) NHS COVID-19 App DPIA, section “Retention of data from the app”