COVID-19 Contact tracing apps and your right to privacy
Contact tracing apps are being developed and rolled out by many countries around the world, including the UK, as a tool in the global fight to control the spread of coronavirus. The UK government has announced that it intends to introduce a contract tracing app later in May, and trials are being conducted this week in the Isle of Wight. In order for the app to be successful, it has been estimated that approximately 50% to 60% of the population need to download the app. The app also requires an individual to provide necessary information as to their health status in order to work, but concerns have been raised about the privacy implications of providing this personal information. What are the legal privacy protections for an individual’s data? And should people be concerned about downloading the app and providing their information?
How would a contact tracing app work?
The app would use Bluetooth technology, creating a randomised anonymous ID number that will interact with other nearby mobile devices. In the UK, the government has announced that it is developing a ‘centralised’ app, where all information obtained by the app is collated and sent to the NHS. It is then up to each individual who develops symptoms to notify the NHS through the app, which will allow the NHS to notify people who have been in contact with that person and provide advice on whether they should self-isolate or be tested on an anonymous basis.
By contrast, other countries, such as Germany, have opted for a ‘decentralised’ approach. Rather than sending the information back to a centralised database, the de-identified information is stored on each individual’s device and is then communicated directly to other devices which have been in close contact, if a person with symptoms chooses to notify others. This method has been preferred by Apple and Google, who both believe that the decentralised approach limits the risk of hackers being able to access the information, as it is not stored on a central computer database. In both a centralised or decentralised approach, no identifiable information would be provided to other users of the app.
Although there are concerns over the vulnerability of data under a centralised approach, the same data protection laws apply to the app, regardless of whether the app is centralised or decentralised.
This means that:
- All data collected by the app must be voluntarily handed over. It will be up to each individual whether they download the app and what information they provide. The European Commission has recommended that apps differentiate between functions, such as general personal information, symptom checkers, contact tracing, and warning functions. These functions should be considered separately, so each person can choose the specific information that they are happy to hand over and they know exactly what that information will be used for. Difficulties may arise if restrictions are placed on people if they do not download the app. For example, if it was stated that people could not enter pubs or restaurants unless they had downloaded the app, it is possible that such a requirement would be in breach of data protection laws (and more fundamental human rights) because people would be coerced into providing information in order to enjoy basic freedoms. Whether any such approach would be taken in the UK is yet to be seen, however this approach has already been taken in other jurisdictions outside Europe.
- Only the minimum amount of data required for the app to work must be sought. It is not clear at this stage how much information the NHS would request for those downloading or using the app. On the one hand, the minimum information required may be access to your phone, reporting of symptoms, and anonymised contact information so that the NHS can contact you if you have been in close proximity to a person with symptoms. However, discussions have also been had about general location information which may assist the NHS in understanding the spread of the virus more generally and therefore aid in making wider policy decisions.
- All data must be deleted once it is no longer necessary to keep the data. This is likely to be a contentious issue. Concerns have been raised that the reason for storing the data might change over time, therefore changing the reasons for which the data was provided in the first place (which prima facie would be a breach of data protection legislation). The European Commission has recommended that apps should be deactivated automatically at the very latest when the pandemic is declared to be under control. That would mean that all data provided would be deleted at that time, without any need for individuals to take any action such as requesting for the data to be deleted or uninstalling the app. Whilst the NHS has confirmed that the app will be closed down and data will be deleted once the pandemic is over, it has also stated that some data will be maintained for research purposes. Exactly what data may be maintained for research has not yet been confirmed.
The European Commission has published guidance for countries looking to develop contact tracing apps to ensure any apps comply with data protection laws. For example, the Commission has stated that it does not consider specific location data necessary for contact tracing - only the proximity to other phones is needed to understand if there has been contact between people. The Commission has stressed that the users should be able to maintain full control over their data in any apps being rolled out. Whilst this guidance is not binding on the UK, it will be interesting to see to what extent the app differs from the recommendations set out, and how the UK intends to ensure compliance with data protection laws.
How the government intends to ensure compliance with data protection laws is something that can only be seen once the app has been finally developed and rolled out. However, individuals understanding their rights in relation to their data is crucial to avoid any overstepping by the state in collecting unnecessary data, and to have sufficient transparency to ensure confidence among the public that by downloading and using the app they are not putting their privacy at risk in a way that may cause them harm in the future.
Articles are intended as an introduction to the topic and do not constitute legal advice.