COVID-19 - balancing privacy and a global health crisis: is contact tracing the answer?

UPDATE 15 May 2020: The UK's Joint Committee on Human Rights (JCHR) has, unusually, produced a draft bill for the Government to pass as soon as possible on the use of information gathered from the NHSX app. The bill would prevent the Government from using the information for any purpose other than fighting COVID-19, and require it to delete all the data after the pandemic ends.

This pushback in the UK is in the context of the NHSX app now lagging behind the Apple/Google software for decentralised contact-tracing apps. Device users in other countries who chose to work with Apple/Google (e.g. Ireland, Germany) will be able to download their apps from Tuesday (19 May).

The Government has stated previously that the data will "either be deleted or fully anonymised in line with the law, so that it can be used for research purposes". This would seem to be aligned with the eHealth Network's EU Toolbox's view (see point (4) below). However, the JCHR has said the Government needs to be legally bound to undertake total deletion, with the JCHR reiterating that "big powers demand big safeguards".

If the Government does not take up the bill, the JCHR has asked for special permission to move it as a private member's bill (a bill introduced by MPs or Lords who are not Government ministers – they do not often pass through the House of Commons but, because of the time they are allocated for debate, they offer a way to provoke discussion/raise attention around a particular issue)."

The NHS 'contact tracing' app is intended to limit a second wave of Coronavirus. It is being trialled on the Isle of Wight starting 5 May 2020, and is expected to be available for the rest of the UK to download in mid-May. The sense of urgency and the privacy risks involved have prompted numerous debates and guidance publications at both European Union (EU) and national level. The UK Government has said it is prepared to adapt or replace the app if necessary – this follows reported problems with the app during the first few days of its trial.

Despite research around the globe apparently showing unprecedented progress in developing a vaccine for COVID-19, the reality is that to deploy a successful and safe vaccine to the population is not going to be a short-term solution. As weeks of isolation take their toll on individuals, businesses and the economy, governments are working on 'exit' strategies. A technology seen as playing a crucial part in this is "contact tracing".

What are contact tracing apps?

Contact tracing itself is not a new concept. However, it has previously been carried out manually by health practitioners and patients. Inevitably, this is time-consuming and relies on the patient's memory. Where medical resource is scarce and patients may have been in close contact with a significant number of people, as in the current situation, this is clearly not adequate.

Governments are turning to mobile applications to increase efficiency. In a nutshell, the apps can track COVID-19-positive individuals' contacts and enable them to notify other individuals with whom they have been in close contact. The app may then encourage people to self-isolate or get tested, thereby slowing the virus' spread.

There are more intrusive versions of the technology that have been used in Asia. Taiwan introduced what it calls an "electronic fence" system that alerts the local police if a quarantined user leaves their home or switches off their handset for too long. South Korea has also taken a strict, more intrusive, approach. It asked citizens to recall their movements and it also aggregated information from credit card transactions, CCTV footage and mobile phone tracking. Citizens found to be violating quarantine rules can also be ordered to wear a tracking band.

How does the Apple/Google contact tracing framework work?

Apple and Google collaborated to establish a contact tracing framework (CTF) using Bluetooth Low Energy (essentially, Bluetooth which is not always on). The CTF will allow links to be made between mobile devices running the app that have been in close proximity with each other by using 'identifiers'. Identifiers are cryptographic tokens (each a piece of encrypted code acting as a unique identifier for a device) collected by each device (i.e. each phone) from other devices within a certain range. These tokens will be stored on the user's device for 14 days, effectively creating a record of all other devices with which the user has come into close contact.

If a user is told they have Coronavirus or have symptoms, they can notify the app, thereby giving consent for their tokens from the last 14 days to be shared. The device from which each token originated will be notified, and the recipient of the notice will be encouraged to self-isolate/keep an eye on potential symptoms.

Apple and Google sought to address privacy risks in two ways, in particular:

  1. By only tracking someone's connections, and not their actual location – the tokens are in no way associated with any location. To protect further against the possibility of re-identification of an individual using the tokens, they are random and change frequently.
  2. By ensuring the process is decentralised – the matching process and data is on the users' handsets themselves, rather than being sent to a centralised server. This limits the risk that data is used for other purposes. It could also be said to reduce the risks to the data through cybercrime.

The UK's Information Commissioner's Office (ICO) published an Opinion on Apple/Google's CTF on 17 April. Generally, the ICO commented that "the project appears to broadly align with the principles of data protection by design and default".

How does the UK's NHSX app work?

NHSX is a new Government unit with responsibility for the NHS technology, digital and data. NHSX's app will also use Bluetooth to make connections. However, based on the information available at the time of publishing it is apparent they will adopt a centralised approach – rather than taking the decentralised approach advocated by Apple and Google.

The ICO commented on this choice on Monday 03 May: "as a general rule, a decentralised approach would be more in keeping with its principle that organisations should minimise the amount of personal data they collect…but that does not in any way mean that a centralised system can't have the same kind of privacy and security protections".

NHSX has perhaps taken the view that being able to access the data via a server is important in understanding and controlling the virus, for example, by being able to identify 'hotspots' where the disease is spreading. Despite these benefits, NHSX may have to change the app, possibly to a decentralised model. Such speculation follows reports of teething problems during the trial and statements from Government ministers that it is "learning lessons from other apps".

What are the challenges to effective contact tracing?

It is generally accepted that in a pre-vaccine world, contact tracing is a necessary measure.  However, this comes with its own challenges. The level of adoption is probably the biggest potential issue. The University of Oxford's Big Data Institute (advising NHSX) estimates that 56% of the UK's population must use the app to halt the outbreak – this equates to about 80% of all existing smartphone owners (based on data from Ofcom). To put this into perspective, only about 67% of UK smartphone users have downloaded WhatsApp. Linked to this is the demographic of users – put simply, will those most at risk (e.g. the elderly) use the app?

The measures will need to be accompanied by a careful communications campaign to ensure that the use of the app does not distract individuals from those measures that we know are effective in slowing the virus, such as social distancing and regular hand-washing.

The United Kingdom has its own unique challenge. It has been slower to adopt community-wide testing than say, for example, Germany. This means that the app will depend on users self-diagnosing as a having had Coronavirus – how reliable will this be?

Divergence in European approaches to contact tracing and the interoperability challenge:

The UK approach of a centralised data repository diverges from the EU Commission and European Data Protection Board (EDPB) guidance in its approach to contact tracing. However, the UK is not alone – France and Norway have adopted a similar approach.

Nevertheless, the EU Commission and the EDPB have clearly expressed a preference for a decentralised approach to processing the data via the individual's own device. Countries such as Italy, the Republic of Ireland, Switzerland, Germany and Austria are adopting models based on the Apple/Google decentralised approach.

While contact tracing at a national level is undoubtedly of primary concern, this divergence at a European level will present challenges. Germany's digitisation minister appealed to developers that apps should be compatible with those of other countries, adding that Germany was in discussion with other countries such as France, Spain and Italy to ensure that cross-border traffic can be monitored.

France said it is in discussions with Apple and Google to try to find ways to reconcile its approach with their platform, but for now it is going ahead without the tech giants’ tools. We expect that the UK will be considering inter-operability with decentralised apps.

Against this background, we should bear in mind that with effect from 11pm on 31 December 2020, the UK will be concluding the Brexit transition period and as a result, data protection laws may also start to diverge.

What data protection laws must the apps comply with to protect privacy?

Unsurprisingly, there are concerns that the use of contact tracing could result in the systematic and large-scale monitoring of the locations, and/or contacts, of individuals. One concern is that individuals' choice will be taken from them if, for example, downloading an app becomes a prerequisite to go to work or access public transport (as in China). There is understandable apprehension of 'scope creep' i.e. the purpose for which the data is being used gradually expanding. Could the data be used to deny employment or insurance? Could it be used, in the wrong hands, to embarrass or stigmatise individuals or groups? Complying with the rules of data protection and privacy laws will be crucial to obtaining the trust of the public.

The rules of the EU General Data Protection Regulation, 2016 (GDPR) continue to apply in the UK during this post-Brexit transition period. As a result, the UK Government will have considered the following rules and principles:

  1. Purpose limitation and data minimisation – Data processing should be limited to a specific purpose and the technology should only process the personal data necessary to achieve that purpose. When commenting on the Apple/Google CTF, the ICO referred specifically to the fact that the data collected is minimal and that the cryptographic nature of the token (including the fact that the tokens generated by one device are changed frequently) minimises the risk of identifying a user. The ICO stated that collecting other information, such as location, may be "legitimate and permissible" in order to pursue the public health objective of these apps, but that data protection considerations will need to be assessed by the data controller (including organisations developing, or commissioning the development of, the apps). No doubt, we will see further comment from the ICO on NHSX's intention to offer app users the option to provide their location data.
  2. Legal basis – The ICO has acknowledged that consent is likely to be the legal basis for contact tracing. However, it has raised concerns about how consent can be obtained and the implications of this consent being withdrawn (e.g. where the person withdrawing consent has been diagnosed – what will be the effect on notifications sent to other users?). Given these potential issues, app developers may decide to rely on other legal bases.They may, for example, rely on an argument that processing is necessary for reasons of public interest in the area of health. However, the EU Commission and the ICO both make it clear that individuals must "remain free to install the app or not and to share their data with health authorities".
  3. Transparency – The app will need to be accompanied by comprehensive information on the data collected, how it is processed and by whom. Probably, this will be in the form of a privacy policy. The law also requires that a detailed assessment of the approach be conducted, in the form of a Data Protection Impact Assessment (DPIA). The EDPB recommends that this be published before implementing any such app, as the processing can be considered high risk. Giving evidence to the human rights committee, the ICO confirmed that it had not yet seen the UK's DPIA.
  4. Data retention – Applications and related data should be removed as soon as no longer needed, for example, once the spread of COVID-19 has been managed. The eHealth Network's EU Toolbox states that the only justification for retaining the data beyond that period would be scientific/historical research purposes, and only under the condition that the data be anonymised and meet all other GDPR requirements.
  5. Security – Both the EU Commission/EDPB and the ICO stress the importance of cybersecurity. This is particularly pertinent if data is centralised.

What next?

We will be watching closely the use of technology to ease social distancing measures over the coming weeks/months. Early indications following the start of the Isle of White UK trial suggest that the app may well be changed and adapted due to technical limitations which may be related to the earlier decision to use a centralised, non-Apple/Google model. There are ongoing debates on whether the UK is risking data privacy in its use of a centralised system and option to collect location data. However, recent communication and future oversight from the ICO will go some way towards gaining the public's trust. Clearly, trust is key here, as without it, there will be insufficient downloads and limited effectiveness.

If you would like to discuss any of the issues raised in this article, or have other concerns about the impact of Coronavirus, please contact Tom Torkar or Gemma Neath in Michelmores' Data Protection & Privacy team.

CORONAVIRUS STOP PRESS – Click here to keep up-to-date with all of our latest articles.

This article is for information purposes only and is not a substitute for legal advice and should not be relied upon as such. Please contact our specialist lawyers to discuss any issues you are facing.