It finally happened: NHSX came to realise the issues surrounding their contact tracing app, and decided to switch to a decentralised approach.
Although this marks a first important step, Open Rights Group (ORG) is still concerned about the way UK’s responses to coronavirus are being approached, and our personal data are being handled. For this reason, we wrote to the Science and Technology Committee, making the case for timely and substantial implementation of data protection requirements.
Implementing GDPR would have avoided delays
We have seen how the decision to switch toward a decentralised contact tracing solution came several months after the start of the app development, and its trial in the Isle of Wight. However, all the elements which would have emerged from a proper Data Protection Impact Assessment would have suggested against the choice of a centralised system, perhaps preventing the U turn we are witnessing today.
According to data protection rules, the higher the intrusiveness of contact tracing in our personal lives, the higher the necessity, effectiveness, and safeguards that need to be in place. On the other hand, bluetooth accuracy in detecting proximity has proven to be low, even more so for detecting risk, alongside the foreseeable uncertainty surrounding the functioning of an innovative and untested solution.
It is easy to see why opting for a centralised model, which involves a greater degree of intrusion into users’ privacy, was an ill conceived and ultimately poor choice. Furthermore, a centralised system is inherently incompatible with the decentralised apps of other European countries, a factor which further limits its chances of success.
In turn, failing to consider these facts helped result in the UK being among the few countries in Europe which still haven’t rolled out their contact tracing app.
Test and Trace is in the same boat
Unfortunately, the importance of privacy and data protection seem to have been consistently downplayed throughout the whole emergency.
Starting with the NHSX App, its development was characterised by an overall poor handling of transparency and privacy requirements, and followed by the release of a rather unsatisfactory Data Protection Impact Assessment (DPIA). We also observe a similar pattern in the Test and Trace programme—where a DPIA has not even been conducted—and in the NHS Data Storage project—where Government resisted to publishing their outsourcing agreements, and eventually committed to fix some mistakes under the pressure of advocacy groups.
The trend which emerges is that of considering data protection as a sheer formality which stands in the way of “getting the job done”, rather than a fundamental process which needs to be integrated from the outset in order to inform decisions and avoid mistakes.
The way forward
In delivering our response, we stress the importance of learning from our mistakes now rather than in the future. Experts have identified trust as a key element in determining the success of contact tracing efforts, and there are many initiatives whose issues will not be solved by the NHSX move towards a decentralised system.
The Test and Trace programme would be the natural test field to show to the public that their privacy is back on the agenda. This is why we lodged a complaint to the Information Commissioner’s Office, which now has the chance to fill the gap which was left by their recent inactivity, and ensure that Government programmes are complying with their obligations to protect our personal data.
We also warned before of other potential abuses, such as employers trying to make use the App compulsory. While it is good news that the Government have moved to decentralised matching, these problems will persist, and so will the need for legal safeguards. Therefore, ORG will monitor future developments, and keep advocating for stronger legal safeguards.