We highlighted the role of data protection in ensuring an effective Government response to pandemics.
Find our official submission here.
Open Rights Groupi – Written Submission
- The last report of the Independent SAGE identifies trust as a key enabler for the success of UK’s Find, Test, Trace, Isolate, Support response to the pandemicii. In this submission, we point out how failing to consider data protection and privacy implications has slown down response to Covid-19, and inherently endangered public trust.
Effectiveness, necessity, and privacy implications
- The Joint Committee for Human Rights identified efficacy and proportionality as the key factors to judge the legitimacy of digital contact tracing, in line with article 8 of the European Convention of Human Rights and data protection legislation.iii This conclusion is supported by experts, who note how a centralised model for digital contact tracing requires “much more factual justificationiv”. The Independent SAGE also points out that centralisation raises concerns about confidentiality and security of the data.v
- On the other hand, field research suggests that the development of accurate and effective methods for proximity detection based on bluetooth (the technology being used for digital contact tracing) is likely to be challenging, as functionality depends on a number of external factors such as orientation of handsets and the reflection or absorption of radio signal by human bodies, buildings and trains.vi
- Furthermore, previous experiences in leveraging mobile data to fight pandemics revealed that success factors are interoperability and coordination, rather than data availability.vii A centralised configuration is outright incompatible with the decentralised contact tracing systems which most European countries have adopted, and has already resulted in Northern Ireland opting out of the NHSX App.viii
- It is now known that NHSX will switch toward a decentralised system.ix However, it is worth noticing how choosing a centralised solution added interoperability issues on top of predictable difficulties in proving the efficacy of an untested system.
Response capacity in relation to data governance
- Test and Trace will store information for 20 years,x a term which is manifestly incompatible with the requirement of storing personal data for “no longer than necessary”— pursuant to article 5(1)e of the GDPR. At the same time, mandatory Data Protection Impact Assessment was not carried out prior to the commencing of the program.xi
- These facts expose a clear pattern we also observed in the development of NHSX contract tracing App,xii which underlies how data protection is being conducted as a sheer formality, rather than a process to assess risks and inform decision making.
- However, countries who have engaged earlier with data protection requirements have been faster than the UK in deploying their digital contact tracing systems. For instance, in France the roll out was preceded by close scrutiny by their DPA.xiii In Italy, a DPIA was submitted to their DPA for prior authorisation, after which the App was released to the public.xiv
What can be learnt, and how to better prepare for future pandemics
- Taking privacy implications in due consideration would have likely exposed from the beginning the issues which led to rework NHSX App from scratch. In turn, the UK is now among the few countries who failed to roll out a digital contact tracing solution to this date.
- Thus, this Committee should raise awareness about the need of timely conducting mandatory privacy assessments as a mean to avoid the delays we have experienced so far. This also include Test and Trace, where another failure to properly assess the risks involved would likely affect public confidence and likely undermine the program.
iOpen Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK. ORG have been advocating for a privacy minded approach to counter Covid-19 from the outset. In particular, we covered NHSX App shortcomings, supported JCHR efforts to establish legal safeguards for contact tracing, and we lodged a complaint to the ICO against NHS and PHE failure to produce a mandatory privacy assessment of the Test and Trace scheme.
iiThe Independent SAGE Report 5, Final Integrated Find, Test, Trace, Isolate, Support (FTTIS) response to the Pandemic, p. 11. Retrieved at: https://www.independentsage.org/wp-content/uploads/2020/06/FTTIS-12.42-160620-names-added.pdf
iiiJoint Committee on Human Rights, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing, §18, 19, p. 11. Retrieved at: https://committees.parliament.uk/publications/992/documents/7782/default/
vThe Independent SAGE Report 4, Towards an Integrated Find, Test, Trace, Isolate, Support (FTTIS) response to the Pandemic, p. 11. Retrieved at: https://www.independentsage.org/wp-content/uploads/2020/06/IndependentSAGE-report-4.pdf
viDouglas J. Leith, Stephen Farrell (Trinity College Dublin), Coronavirus Contact Tracing: Evaluating The Potential Of Using Bluetooth Received Signal Strength For Proximity Detection, p. 10. Retrieved at: https://www.scss.tcd.ie/Doug.Leith/pubs/bluetooth_rssi_study.pdf
viiSean Martin McDonald (Open Society Foundation, Ford Foundation, Media Democracy Fund), Ebola: A Big Data Disaster, p. 17. Retrieved at: https://github.com/cis-india/papers/raw/master/CIS_Papers_2016.01_Sean-McDonald.pdf
See also: Micheal Veale, Analysis of the NHSX Contact Tracing App ‘Isle of Wight’ Data Protection Impact Assessment. Retrieved at: https://osf.io/preprints/lawarxiv/6fvgh
xiiiSee Focus sur le projet d’application mobile StopCovid. Retrieved at: https://www.cnil.fr/fr/focus-sur-le-projet-dapplication-mobile-stopcovid
xivSee Green light to the ‘immuni’ contact tracing app by the italian sa. Retrieved at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9356588#english