Privacy concerns about the NHS coronavirus contact-tracing app have led the Joint Committee on Human Rights to call for the Government to introduce legislation to underpin the app. Governments in other countries that are implementing contact-tracing apps are also facing similar concerns, and some are introducing legislation.

Contact tracing app: Privacy concerns

Testing and tracing form part of the Government’s Covid-19 recovery strategy. The idea is that measures to prevent virus transmission can be more targeted if people who are infected are quickly identified, and their close contacts then alerted and advised to self-isolate. The Government plan is for contact tracing to take place both through the NHS Covid-19 app and through health professionals and call handlers contacting people online and by phone.

However, groups including Amnesty, Liberty, the Open Rights Group and Privacy International have highlighted concerns about how an app will keep personal data private and secure.

There are key privacy concerns around the choice of a ‘centralised’ versus a ‘decentralised’ model for storing and processing data in a contact-tracing app. Both models use Bluetooth signals to record when users’ smartphones are close to each other. And in both models, users upload anonymised data to a central database. In a centralised model, a remote computer server performs the contact matching and analysis. But in a decentralised model, the app downloads anonymised information from a central database and the contact matching and analysis take place on the individual user’s phone. The decentralised model is said to give users more control over their information, but the centralised model may give health authorities more information about the spread of the virus.

The UK app works on a centralised model. Both NHSX, the unit that developed the app, and the National Cyber Security Centre have sought to reassure the public that their data will be confidential and secure.

According to data compiledby MIT Technology Review, of the governments around the world that are implementing contact-tracing apps, more have chosen a decentralised model than a centralised one.

JCHR and the call for legislation

The Joint Committee on Human Rights (JCHR) has called for the Government to legislate to provide legal clarity about how data gathered by a contact-tracing app could be used, stored and disposed of. The JCHR argues this would increase confidence in the app, which would increase uptake and improve the app’s efficiency.

Matt Hancock, the Secretary of State for Health, has argued that new legislation is unnecessary. He said since using the app is voluntary, legislation is not needed to permit data collection. Existing data protection legislation and the Human Rights Act 1998 would cover any data collected.

The JCHR described this as an “unsatisfactory mishmash” of laws. It has sent Mr Hancock a proposed draft bill setting out bespoke provisions on data protection and digital contact tracing.

What are other countries doing?

Other governments and parliaments around the world are facing similar issues and concerns, as the case studies below illustrate.

Australia

The Privacy Amendment (Public Health Contact Information) Bill completed its stages in the Australian House of Representatives on 12 May 2020. It amends privacy legislation to provide for a range of offences and data protections in connection with Australia’s ‘COVIDSafe’ contact-tracing app.

The app has been available for download since 26 April 2020. Initially, the basis for collecting, using and disclosing data from the app was a ministerial determination (a kind of executive order) made under emergency powers in Australia’s Biosecurity Act 2015. The determination limits retention of app data on a mobile device to 21 days and requires all data to be deleted from the national data store when the pandemic has ended.

The bill would put the data protection provisions on a statutory footing. It would also provide additional safeguards, such as: oversight by the Office of the Australian Information Commissioner, and enabling individuals to seek a remedy if they are affected by a data breach.

France

France’s National Assembly is due to vote on the French government’s ‘StopCovid’ contact-tracing app. The French government originally planned to hold a debate in the assembly without a vote, but opposition deputies argued this would undermine the app’s democratic legitimacy. A vote was scheduled for 28 April 2020 but did not take place as planned. Edouard Philippe, the French Prime Minister, said it was too early to debate the app project because it was not yet clear whether it would actually work. He agreed that the app raised legitimate concerns about civil liberties. Cédric O, the Minister of State for Digital, later announced that a vote could take place on 25 May 2020 in the National Assembly, ahead of the app’s planned launch on 2 June 2020.

Switzerland

The Swiss Federal Assembly has adopted a resolution calling on the Federal Council to introduce legislation to provide a legal basis for a Swiss contact-tracing app. The resolution says that centralised data storage cannot be used. It also says that use of the app must be voluntary.

Alain Berset, the Swiss Health Minister, said the Federal Council would introduce a draft bill to parliament by 20 May 2020, to be discussed during its June sitting. Trials of the app will take place during May, as no specific legal basis is required for this. Mr Berset said that “if parliament says ‘no’, it’s over” for the app.

Italy

The Italian Cabinet approved a decree covering personal data and contact tracing on 29 April 2020. The decree provides for the Ministry of Health to establish a platform to trace contacts between people who voluntarily install a mobile phone app. The app will complement the existing contact-tracing methods used by the Italian national healthcare system.

The decree states that the Ministry of Health, after consulting the Italian data protection authority, will adopt measures to protect individuals’ data. The decree provides that people’s rights are not affected if they do not use the app. The decree also requires that the app and the processing of data end when Italy’s state of emergency ends, and in any case no later than 31 December 2020.

Israel

Israel’s supreme court ruled in April that the government must pass legislation to continue allowing Shin Bet, Israel’s internal security agency, to carry out contact tracing using the mobile phone data of people suspected to have coronavirus. Under powers usually reserved for counter-terrorism operations, the Israeli government had approved emergency measures in March to allow Shin Bet to conduct the monitoring.  The court said the government must find “a suitable alternative, compatible with the principles of privacy”. The Knesset’s secret service subcommittee approved a three-week extension of the emergency powers at the beginning of May while the Government prepares legislation to comply with the court ruling.

What next?

On 11 June 2020, Lord Hain (Labour) will ask the Government “what steps they are taking to protect personal privacy in the trial on the Isle of Wight of the NHSX COVID-19 contract tracing application”.

Image by Gerd Altmann from Pixabay.