The government’s new NHS COVID-19 app is at the heart of its plans for tackling the coronavirus, lifting the lockdown and helping us all return to normal as soon as possible.
The app is currently being trialled on the Isle of Wight and, if successful, will be rolled out to the rest of the country to allow us to track and, most importantly, control the spread of the virus.
In this article we look at how the app works, what security and data protection issues the app gives rise to and the wider social/economic impact the app could have in the months ahead.
How does the app work?
The app can be downloaded onto any smartphone or device. Once you have downloaded the app, you will be required to enter your postcode and enable Bluetooth (to do this you may need to enable the location services on your phone).
The app will track and keep a record of what other phones you are in close proximity to (and for how long) as you go about your daily life. It is not intended to track your location, i.e. the app will know that I came into close contact with [X] many people on a given day but will have no idea where I was when I did so.
If you test positive for COVID-19 or self-diagnose yourself with COVID-19 symptoms, you should record this in the app. The app will then notify all other users who have been near you that they may have come into contact with someone with coronavirus and that they should therefore self-isolate.
Similarly, if the app detects that you have been in contact with someone who has subsequently displayed coronavirus symptoms, then the app will alert you to the fact that you may need to self-isolate.
Data protection issues
The app stores all its data centrally, which means that the NHS can build up a picture of how many people each user has been in contact with across the country. Whilst it would be very hard to link this data back to individuals, it would not be impossible to do so.
Due to the adoption of a centralised approach to the storage/processing of data collected via the app, there are concerns from numerous privacy organisations as to what the government will seek to use this data for.
The app will require 60-80% of the population to use it in order to effectively tackle the virus. Overcoming any trust issues people may have as to what their data is going to be used for, particularly when that includes sensitive data about their health, is therefore going to be crucial in achieving the level of public engagement the government needs to see in order for the app to be effective.
With this in mind, the Information Commissioner’s Office (ICO) has set out some principles which the NHS will need to follow in relation to the app. These can be summarised as follows:
- Transparency (be clear as to the purpose of the app, its benefits and its design)
- Data Minimisation (limit the amount of data collected and how long this is retained for)
- Protecting Users (pseudonymise data, allow users to exercise their data rights via the app, ensure opting in or out of certain functions will not have negative consequences)
- Security (securely process data, strengthen privacy measures)
The NHS will therefore need to be transparent with the public if it intends to use data from the app in other ways to combat the coronavirus, for example, for calculating the R rate and the prevalence of the virus across the country and ensure that the security of such data isn’t compromised by these additional uses.
Finally, when an organisation seeks to process special categories of personal data (such as health data) it will often have to rely on consent in order to carry out such processing. However, it is important to note that, in this case, it is likely that the NHS would be able to argue that it was able to process users’ data on the basis that this was, in the words of the GDPR, “necessary for reasons of public interest in the area of public health”. This is whey we are unlikely to see any consents as part of the app when it is rolled out to the nation.
As previously stated, to be effective, experts consider that 60-80% of the population will need to be actively using the app. To put this in perspective, this would mean the app would have to reach popularity levels akin to our favourite social media platforms virtually overnight. Engaging the public will therefore be key to the app’s success.
The app will only function when your mobile is on and you are carrying it around with you at all times. Ironically, this may mean that the app will not be effective in alerting some members of “at risk” groups of the need to self-isolate. For example, it is thought that many of the population who are at retirement age are more likely to leave their mobiles at home and only use them in the case of an emergency. If this proves to be the case, then the app will not protect those members of society who are at greatest risk from the virus.
The app relies on self-diagnosis as well as official test results. There is therefore the risk of people incorrectly diagnosing themselves with COVID-19 and forcing others to unnecessarily self-isolate. Whilst many would argue it is better to be safe than sorry, unnecessary self-isolation could prevent people from being able to work, impact on people’s mental health and distort national statistics about the spread of the virus.
Wider social implications
Of perhaps greater concern than the apps data protection issues are its wider social implications.
- if individual users can be identified via the app, law enforcement could use this information to monitor whether those people are self-isolating once they receive an alert from the app to do so, or once they start displaying symptoms. Taken further, the police could use the data to assess the extent to which individuals are following the government’s social distancing guidelines and assist them in imposing fines on those that don’t.
- if the location of users can be identified via the app, the government could use this information to analyse the types of locations and businesses users are frequenting and target lockdown restrictions accordingly. This could have a disproportionate impact on businesses in certain sectors which receive a high level of footfall, particularly retail.
- employers could make it a requirement that all employees download the app, so that if an employee displays symptoms or has been in contact with someone who has, the employer can identify which other individuals it needs to send home, thus avoiding the closure of the entire office. Similarly, retailers and businesses in the events industry could make it a requirement that, before entering their premises, individuals prove (via the app) that they are not infectious and should not be self-isolating. This could result in effectively creating “immunity passports” for everyone, severely restricting some individuals’ ability to work, enjoy leisure activities or even buy basic necessities.
The ICO considers it of paramount importance that the app should not be able to track users’ locations or identify individuals. it is therefore unlikely that the first two scenarios would arise, although it should be noted that there is nothing in law preventing the government from doing this and it would be very hard to know if it was.
Whether businesses seek to use the app as a way of “corona-washing” their organisation and reducing the risk of infection for their own staff is a question that remains to be answered and will ultimately depend on the perceived risk to the public at large from the virus over the coming weeks and months.
In conclusion, it is hoped that the number of new COVID-19 cases and deaths continues to fall and that the NHS app can be an effective contributor to this, for if the risk to the public continues to reduce, there is less risk of the government, the NHS and the private sector feeling pressured into using the app for other more extreme methods of suppressing the spread