Introduction
Ahead of the proposed national roll-out of the NHSX COVID-19 contact tracing app, there has been criticism of it by privacy advocates and others. In this article I will adopt a unified view from a collective technology law, data protection law, as well as technical perspective, and hopefully address some of those concerns, to guard against undermining the tremendous effort which is being invested into a life-saving solution.
Is the NHSX App even necessary?
The importance of contact tracing was apparent as soon as the virus manifested itself in the UK, as well as other parts of the world. The objective was that those who had been exposed to it, would be quarantined to guard against spreading the infection, especially considering the exponential rate of the contagion.
However, contact tracing through manual means is resource intensive. Furthermore, although an individual can identify some of those people with whom he or she has been in contact, this becomes much more difficult to do:
- when an individual has been in public places and does not know the identity of those in close proximity to him or her (such as standing in a shopping queue or on the London Tube);
- when an individual seeks to recall the different exposure distances and contact times he or she has had with others (for example standing quite close to someone for several minutes, gives rise to a different risk exposure than passing someone in the street); or
- when an individual starts showing symptoms, and then tries to work out both the pre-symptom and post-symptom contacts (taking into account that the virus could be contagious before the symptoms are apparent).
We only have to consider the following recent news from South Korea, to note the importance of contact tracing to guard against a second wave of infections after lockdown measures are relaxed. In early May, one individual, who subsequently tested positive for COVID-19, visited five nightclubs and bars during one night, leading to a new wave of infections. Over 2,000 establishments were subsequently ordered to be closed for a month, and several thousand individuals were urged to be tested. This scare occurred after the government had relaxed social distancing measures with the virus seemingly under control.
This shows that, alongside the rapid spread of the virus in the UK and other countries, manual contact tracing will not curb the spread of the virus. Hence the need for an automated way of undertaking contact tracing to save lives.
Is the NHSX App going to be privacy intrusive?
Privacy concerns regarding the NHSX App seem to have generated adverse publicity – with some suggestions of the NHSX App potentially leading to a ‘surveillance state’. However, it is important to rebut concerns such as these, by focusing on the reality of the NHSX App, and taking into account the requirements mandated by the Government’s Joint Committee on Human Rights.
The amount of data that is collected
The NHSX App only collects a limited amount of personal data; in fact, much less than many of the apps which individuals use these days. We only have to consider how much information users share through the use of other commercial app services (viewing the privacy policy for such apps will make the large scale of data collection and processing apparent), to see the stark comparison with the NHSX App. Yet, millions of individuals adopt a ‘care-free’ approach to installing such commercial apps, due to their perceived utility or entertainment value, without expressing any privacy concerns.
In contrast, the NHSX App collects a much more limited subset of information for safeguarding public health and lives. Furthermore, no GPS location data is gathered. Instead, Bluetooth Low Energy (BLE) signal strength connection to other devices running the NHSX App, is collected to provide relational proximity, rather than actual location information (that is the NHSX App is not tracking a user’s specific location). This is achieved by the BLE signal strength providing an approximation of the distance between different devices, and therefore individuals. BLE has the advantage of being a power conserving variant of Bluetooth, to guard against unnecessary battery drain, and is commonly used in smart watches and proximity sensors.
Phone model data is also collected, to allow adjustments to be applied to the BLE signal strength information which is collected, to seek to provide a truer measure of proximity, to take into account that different phone models behave differently with regard to BLE signal strengths. This ties in with the data protection law requirements of processing data accurately.
Users of the NHSX App are also able to choose whether to provide the first part of their postcode to the NHSX systems (this again, does not identify a user’s address, nor specific location). This allows trend analysis and local hospital resourcing, as mentioned in the section below.
Furthermore, the NHSX App does not gather any information about a user’s name. Instead, a unique random identification number is automatically generated for each user of the NHSX App (the NHSX refers to this as the “Sonar ID”). An encrypted form of the Sonar ID (which the NHSX refers to as the “Transmitted ID”) is exchanged between devices which come into each other’s proximity. The NHSX App also refreshes each user’s Transmitted ID on a daily basis, with a new randomly generated identification number to further safeguard privacy. Cryptography is also used by the NHSX App to ensure encrypted authorisation and transmission of data.
A user’s device’s IP address is also captured by the NHSX App. This is for purposes such as load balancing and guarding against DDos types of cyber attacks. Organisational and technical measures are also implemented to segregate the IP addresses visible to the front end systems from the NHSX back end systems, to further protect privacy.
Centralised versus decentralised approach
There has been much debate about the centralised versus decentralised approach.
The NHSX App is using BLE to build a list of contacts which a user has encountered, by way of the Transmitted IDs mentioned above (the “Transmitted ID List”). This will therefore constitute ‘pseudonymised’ personal data in data protection legislation terms: the personal data cannot be attributed to a particular individual, without the use of additional information which is kept separate, and which is subject to technical and organisational measures to keep it separate. This information is automatically deleted from the user’s phone after 28 days.
With the decentralised approach, the Transmitted ID List remains locally on a user’s device. Any matches of close proximity between an infected individual on the Transmitted ID List and the user of the device, are detected locally on the user’s device. With the centralised approach, the Transmitted ID List, as well as the other details which the NHSX App is collecting, are securely transmitted to the NHSX’s systems for matching and detection purposes, after a user uploads them; this will be after the user self-diagnoses that he or she is suffering from virus symptoms.
Although from a privacy perspective, storing data locally on a device is more privacy positive, it does not mean that having a centralised approach cannot have appropriate privacy safeguards applied to it. In order to understand why a centralised approach has been advocated by NHSX, one has to understand the benefits of doing so.
Centralising the data allows a number of advantages, which NHSX believes are unavailable with the decentralised approach, including the following:
- Trend analysis: This is key in order to understand whether social distancing is working or not. It can also provide more up-to-date information in relation to the R-Number (namely, the effective reproduction number, which shows the average number of people that one individual will pass the virus on to). There are different models used to calculate the R-Number, with Public Health England’s model being based on the number of reported deaths. However, this is based on information which has been provided on the number of deaths within recent weeks, and therefore does not make available infection information in the more dynamic and up-to-date manner that the NHSX App can offer.
- Local hospital support: This allows the ability for proactive resourcing of regional hospitals, in response to the above trend analysis, by using the partial postcode information which is voluntarily provided by users.
- Guarding against false positives and malicious actors: At the moment, the NHSX App is reliant upon self-diagnosis and self-reporting of virus symptoms, for initial alerting purposes. This is due to the lack of large scale and timely virus testing being available. Consequently, there is a real risk of incorrect information being provided by users, which would generate ‘false positive’ alerts to users. The NHSX’s centralised approach allows risk modelling to mitigate against the associated risks. This is something which can only really be undertaken in a decentralised model by removing the self-diagnosis, through the use of definitive test results provided in a timely manner. Unfortunately, this is not currently possible.
It is also important to understand that there are numerous safeguards implemented within the NHSX centralised approach. The device identifier cryptographic information is stored on iPhones within the Secure Enclave Processor. This secure co-processor, isolated from the main processor, provides an extra layer of security as the cryptographic integrity of its operations is maintained, even if other aspects of the phone are compromised. Android devices are not standardised; so this information is stored in hardware secure storage on the handsets, or using software measures where this is not possible due to the handset models. Data is also transmitted from the user’s device to NHSX systems in a batch encrypted process using Transport Layer Security (“TLS”) (the TLS protocol provides secure data transmission).
There is of course, always the risk of security breaches. However, this is no different to any other system in the world. It does not mean that systems should not be deployed, it just means that security measures need to be implemented and continually monitored and updated.
However, there are certain issues associated with a centralised approach, such as interoperability issues with apps of other countries which have taken a decentralised approach (particularly with Ireland). Therefore, it remains to be seen as to whether the final NHSX App rollout will adopt a centralised or decentralised approach. Matthew Gould, the CEO of NHSX, has acknowledged that it would be technically possible to move to developing a decentralised system in place of the existing centralised approach, if required; albeit, that this will then suffer from the associated deficiencies with that approach, as outlined above.
Do you really need to install the NHSX App?
People around the world are becoming frustrated with the lockdown measures which are severely constraining their day-to-day lives. The Government has stressed the importance of the R-Number remaining well below one, if we want to see restrictions lifted; as a R-Number above one risks exponential contagion. The South Korean example cited earlier, illustrates how a second exponential wave could commence from the relaxing of lockdown measures. This can only be addressed through urgent contact tracing.
A report to NHSX on effective configurations for a contact tracing app, shows that the virus can be suppressed if at least 56% of the UK population use the NHSX App. This translates into at least 80% of all UK smartphone users using the NHSX App (to take into account that not all of the UK population have a smartphone). The Isle of Wight beta testing of the NHSX App is encouraging. It showed that 65% of all smartphone users who could download the NHSX App, had done so by mid-May. Undoubtedly, huge public confidence is required for a successful roll-out of the NHSX App. This is why the Government’s Joint Committee on Human Rights has called for independent oversight and additional legislative footing, as a pre-condition. This will also help ensure compliance with Article 8 of the European Convention on Human Rights (‘Right to respect for private and family life’).
It is therefore, imperative that maximum uptake of the NHSX App occurs, to safeguard individuals, their loved ones and the NHS.
The Joint Committee on Human Rights’ Pre-conditions
As with any project, there are issues which arise from the initial design and testing phase. The Data Protection Impact Assessment which is required for projects such as the NHSX App, is useful to highlight risk areas and concerns, so that they can be addressed.
The DPIA produced by the NHSX has shown that there are some areas which require further focus by the NHSX. These include: ensuring the deletion of data from back end systems (rather than just the NHSX App itself), when it is no longer required; ensuring that purpose limitation in respect of processing of personal data is maintained (to avoid ‘scope creep’); ensuring that the rights of data subjects can be properly exercised; and that there are clear privacy notices addressing the processing of personal data). Consequently, it is reassuring for the general public, that the Government’s Joint Committee on Human Rights has stipulated that, prior to the national roll-out of the NHSX App, the following conditions must be addressed in new legislation (a number of which simply reinforce specifics in respect of existing data protection legislation requirements):
- Clear and limited purposes of the app for data processing, namely that it can only be used for preventing the spread of the virus and for no other purpose. Furthermore, the data may not be shared with third parties. This therefore, relates to purpose limitation under data protection laws.
- The Transmitted ID List must not be uploaded from a user’s device to the NHSX’s systems until the user has confirmed a self-diagnosis of having virus symptoms, and has then chosen to upload such data. The Transmitted ID List must also be automatically deleted from the NHSX App every 28 days. This therefore, relates to data minimisation, as well as storage limitation under data protection laws.
- Any data held centrally by the NHSX must be subject to the highest security protections and standards. This therefore, relates to integrity and confidentiality requirements under data protection laws.
- There need to be limits as to who has access to the data and for what purposes, with appropriate security protections being required for any systems on which such data may be processed. This therefore, relates to purpose limitation, as well as integrity and confidentiality requirements under data protection laws.
- Data held centrally may not be used for data reconstruction (that is any pseudonymisation of data cannot be circumvented to gain information about an individual). This therefore, relates to: the principles for lawfulness, fairness and transparency; integrity and confidentiality; purpose limitation; data minimisation; and storage limitation under data protection laws.
- Data held centrally relating to a user, must be deleted following a request from that user. The data also may not be held for longer than is required, and in any event for no longer than 2 years. All data collected must be deleted once the public health emergency is over. This therefore, relates to storage limitation under data protection laws.
- The Health Secretary must undertake a review and report to Parliament on the efficacy and privacy protections relating to the digital contact tracing system every 21 days.
- Powers for a Digital Contact Tracing Human Rights Commissioner to ensure appropriate oversight on digital contact tracing, including to look into individuals’ complaints.
- There is also a requirement for the NHSX App’s DPIA to be made public and updated as digital contact tracing progresses. This will assist with transparency and accountability, with regard to processing of personal data.
All of this should, therefore: alleviate some of the concerns about the forthcoming national roll-out of the NHSX App; and help the UK in its objective to overcome the virus and its adverse effects, as soon as possible.
Jagvinder Singh Kang is a leading specialist technology lawyer, data protection lawyer and qualified software engineer. He is also the International Head of IT Law at the leading law firm, Mills & Reeve.
