Use of personal data such as location or health data by apps, makes some shudder at the thought of who could access it and the impact it could have on their lives if it fell into the wrong hands; others simply install and use apps without giving a second thought to where their data is going, until a security incident or personal data breach is reported. There are many high profile examples of social media and health / leisure apps that have strayed over the line in recent years.
However, in the middle of one of the worst pandemics to face the modern world, could personal data be the ‘side-kick’ our NHS and key worker Superheroes need to beat COVID-19?
On 24 April 2020 the NHSX (a joint unit bringing together teams from the Department of Health and Social Care, NHS England and NHS Improvement to drive the digital transformation of the NHS) issued a public statement setting out details of its ‘NHSX’ contact tracing app that it is developing and aiming to release ‘in the coming weeks’ (current estimates are 2-3 weeks), which plans to make use of location and health data in an attempt to limit the rate of infection of COVID-19.
How it works:
- Logs distances between phones that have installed the app, using ‘Bluetooth Low Energy’ to connect devices; data logs are stored locally on the device.
- Informs the NHS if the user were to become unwell (provided the user allows the app to do so), which then triggers an anonymous alert to other app users in ‘significant contact’ over the previous few days.
- Advises on actions to take if an individual has been in contact with an infected individual (using current guidance from the Chief Medical Officer).
In future releases the intention is for people to be able to choose to provide the NHS with extra information about themselves to help identify hotspots and trends (i.e. sharing location data to create a ‘heatmap’ – it remains to be seen whether this functionality is actually included in the app launch).
- Where is the data stored / what will it be used for?
One big difference between the NHSX app and others being developed and favoured by large tech companies and EU member states is that the NHSX app uses a ‘centralised’ model by transferring data logs (that may also include location / health data as part of the app functionality) to a database managed by the NHS that uses a matching process, to work out which phones to send alerts to. This is in contrast to the ‘decentralised’ model, where the data is not transferred to a central database but is stored locally on the device with the contact matching processed locally on the device, which is favoured by large tech companies and many EU member states (such as Germany, which notably decided not to use the ‘centralised’ model, having initially decided that it would). The privacy concerns for individuals with the ‘centralised’ model include how long the data may be kept, whether it is necessary for the data to be transferred in this manner and if the data could be used for other purposes at a later date. The NHSX team has given strong assurances that the data will only ever be used for NHS care, management, evaluation and research and that a user can delete the app and all associated data whenever they want. NHSX has been working with the Information Commissioner’s Office to ensure they have oversight.
The use of a ‘centralised’ model and extensive transmission of data across networks and short-range communication (such as Bluetooth) undoubtedly poses a security risk both during transmission and storage on the centralised system of large amounts of personal data. Indeed, the NHS statement stresses that security and privacy have been prioritised at all stages in the design and development and confirms that they will publish key security and privacy designs alongside source code for privacy and cyber security experts around the world to ‘look under the bonnet’ (notably the NHSX development team have been working closely with the National Cyber Security Centre and other key government / industry bodies). However security experts and academics across the world have raised concerns on the method of data collection and potential for misuse, including most recently an open letter issued by more than 150 UK academics to the head of NHSX (published on 29th April 2020).
- Technological limitations:
Due to the way in which the app must use Bluetooth to communicate with nearby phones by having to ‘wake up’ the app, there is concern over the impact on battery life / energy consumption and interruptions caused by other applications or other connected devices. If the user experience is poor, despite the privacy objections being overcome, then the app may not succeed in its mission without clear instruction to users.
There are various statistics being published, however it seems that in order to be effective at least 60% of the population will need to download and actively use the app (depending on the success of other contact tracing methods). Indeed, there are other issues even if people download the app, such as battery failure or people simply choose to leave their phone at home / do not have a phone. That said, with smart phones being prolific in modern society and the desire of the world to defeat COVID-19, these issues should be mitigated provided the developers and NHSX team are crystal clear with users on how the app works / personal data is used.
This is undoubtedly a heroic effort by the NHS to fight the spread of COVID-19 and an example of how technology in the modern age could be used to save lives. It remains to be seen how the app will work in practice and the issues that may be faced in future as more data is transferred to the ‘centralised’ NHS system. However, there are some initial key ‘take-aways’ for all of us:
- Measure twice, cut once: Privacy by design and default is something all app developers must keep in the forefront of their minds in the development phase. The NHS has been careful to work closely with key regulators and organisations such as the National Cyber Security Centre and the Science and Technology Committee to ensure all feedback is taken into their design before release.
- Test it fast: User groups and industry bodies are essential to engage at an early stage to understand security concerns and also whether users will understand and be comfortable using the app, or whether it could cause issues on their device / they find ways to misuse it.
Can we help?
Are you an app creator / technology company looking to start-up or grow? Contact Tom Phipps or the Data Protection Team and we would be happy to guide you through setting up the processes and policies.