An NHS contact tracing app, if effective, could pave the way out of the UK’s lockdown restrictions and help prevent the spread of coronavirus, but there are ‘mission creep’ and other concerns regarding surveillance and the impact on other human rights which must be addressed first, according to a Westminster parliamentary committee.
After a Joint Committee on Human Rights hearing with the Information Commissioner Dr Orla Lynskey; and Matthew Gould, CEO of NHSX, the digital arm of the National Health Service, on the new contact tracing app, the Committee says it was not reassured that plans for release of the app sufficiently protect the right to privacy and other human rights.
Chair of the committee, the senior Labour MP Harriet Harman, said: “Assurances from ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law. The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.
“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”
The committee calls for a ‘Digital Contact Tracing Human Rights Commissioner’ and recommends that personal data held centrally (such as following a diagnosis of Covid-19 or suspected Covid-19) ‘must be subject to the highest security protections and standard’.
The developers of the NHS tracking app have stated that the purpose for choosing a centralised database model over the more data-secure and private de-centralised model is that it allows for greater data analysis. The committee’s report says it is not clear that ‘the additional functionality of a centralised data system outweighs the risks inherent in such a model’.
Comment
Darren Wray, CTO at data privacy firm Guardum, welcomed the committee statement. “Many organisations, including governments, have a hoarder mentality, keeping as much personal data as possible and keeping it far beyond its useful life. Obviously the GDPR says that data should only be kept as long as is required for the purpose, but very few organisations truly audit their data in this way and so the data is kept. The answer to this problem is to design software from the ground up with the ability to honour data retention policies and requirements and I hope that the comments from the committee are an indication of the realisation and implementation of these requirements.
“Given the purpose of the collection of this data is to prevent the spread of COVID-19, the expiry date of the service and of the data should be closely aligned to this purpose. The service and the data collected should, therefore, expire when the crisis has subsided.
“The data collected and processed should also be minimised as required by current data privacy regulation. The amount of centralised data should be minimised, the ideal, although rejected by the Government previously, would mean that the information about who comes into contact with whom should only be stored on a user’s phone and should automatically expire every few weeks.”
