NHS COVID-19 Track and Trace - Forget me (or not?)

NHS COVID-19 Track and Trace - Forget me (or not?)

How does the new NHS App work, and how does it affect your personal data?

Unless you have been living underneath a rock for the last week, you have probably noticed that the long awaited NHS ‘Track and Trace’ App has now been launched and can be downloaded from the App and Play Stores for Apple and Android.

The App was originally supposed to be launched several months ago but the centralised contact tracking model that was originally tested on the Isle of Wight was abandoned and replaced by a framework developed by Apple and Google. At the time of writing over a million people have downloaded the COVID-19 App which is designed to notify people if they have been near to other users who have tested positive for the virus or visited a venue where they may have risked infection. It also contains a symptom checker and provides a way to order a test.

The technology that underlies that App is Bluetooth, which is arguably one of the most accurate technologies in terms of proximity identification, in this case, proximity to other phones using the COVID-19 App (generally meaning within two metres for 15 minutes or more). It is considered as one of the least intrusive forms of tracking given that it is simply based on the location of other phones using the App rather than actual location e.g. a GPS location or mobile phone mast.

Many of the previous privacy fears have been assuaged by the Bluetooth, decentralised nature of the design, with the App’s developers stating that it is designed so that ‘nobody will know who or where you are’. The blurb in the NHS App store states that.

The App runs on proven software developed by Apple and Google, designed so that nobody will know who or where you are. And you can delete your data, or the App, at any time.

However, Privacy organisations such as the Open Rights Group and Big Brother Watch have called for the UK government to ‘clarify how people’s private data will be kept safe and secure under the new Test and Trace regulations’.

The NHS privacy notice for the Covid-19 test and trace programme states that if you test positive for COVID-19 the personal information collected will be kept by the NHS for 8 years and if you are a close contact of someone who tests positive, the information will be retained for 5 years. It can be argued that the App is somewhat misleading as it has a ‘Delete App’ button which says that it will ‘delete the App and all related data’ from the phone. Most people may assume that means that all your data will be deleted entirely. However, the GDPR ‘Right to be forgotten’ is not absolute and using this button will not necessarily delete all your personal data from the servers that it is stored on. The NHS privacy notice states:

“You can ask for any information held about you to be deleted. This is not an absolute right unless the legal basis for us to process your information is consent. If we need to continue to use your information, we will tell you the reason why.” 

Most people will probably assume that the NHS is processing their information based on consent. After all, downloading the App is voluntary so, surely, you have consented? However, this is not how data processing legal pathways work.  If you look at the legal basis in the privacy notice, you will see that it is:

What many people do not realise is that the GDPR right to be forgotten (or erasure) has a plethora of exemptions which means that  it does not actually apply to special category data in the following circumstances:

The UK’s Information Commissioners Elizabeth Denham has voiced support for the App stating:

‘I am pleased that the App being launched this month is supported by the necessary consideration of people’s data protection rights.’ However, ORG and Big Brother Watch argue that there has been a lack of transparency around the entire process and have instructed data rights agency AWO to send a letter to health secretary Matt Hancock demanding he provide more information on how data collected through the App will be kept safe and secure, and whether or not he has finally conducted a DPIA for the Test and Trace programme– which by the government’s own admission has been operating unlawfully since its inception as a result of this failure.

Perhaps one of the greatest ironies is that many individuals who are ranting about the intrusive nature of the COVID ‘tracker’ are complaining about it on Facebook and Twitter which track far more data than the NHS’s App which is rather neatly summed up in this Tweet:

Written & Published By: Claire Robinson DPO, CIPP/E, CIPM, ISO 27001 certified Consultant.

Tuesday 29th September 2020