What does the new NHSX contact tracing app mean for data protection?

In March, the UK Government stood down Public Health England’s 290 contact tracers, believing them already overwhelmed by the coronavirus spread. In April, however, the Government reversed its decision, announcing plans to train 18,000 contact tracers and to support their efforts through automation, using a contact-tracing app developed by NHSX (the NHS’ digital arm) downloaded to smartphones to ‘track-and-trace’ those exposed to the virus, but what exactly does this mean for data protection?

Data protection – another coronavirus casualty?

With a third of the planet’s population currently under COVID-19-related restrictions, the wider social and economic impact of ‘lockdown’ is becoming apparent. However, with a vaccine still 12-18 months away, governments around the world are weighing the apparent trade-off between easing restrictions and maintaining public health.

To prevent a second infection wave, countries have been exploring how to harness technology to automate contact-tracing, releasing the remainder of the population to go about daily life. Though simple-sounding, such technology is far from straightforward. It also brings serious practical and ethical concerns already playing out in some countries, and risks pitting health care against data protection.

What is contact tracing?

Contact tracing is a key tool in preventing the spread of communicable diseases. It involves tracking down and alerting those who have been in contact with a confirmed sufferer.

However, it has limitations: with airborne diseases such as COVID-19 where symptoms are delayed, it is difficult to identify everyone who may have been exposed. It is also time-consuming and works best with low infection levels.

How would automated contact tracing work?

Individual nations are developing their own contact tracing apps, but, broadly two methodologies exist: one employing the user’s geo-location, often in conjunction with credit card data and surveillance camera records, and a more privacy-friendly version based on Bluetooth.

Modern challenges in store for the Internet of Things

With the development of embedded networked systems, Bo Wei – senior lecturer in Computer Science at Northumbria University – discusses how the technology behind the Internet of Things (IoT) has become mature and readily available in people’s daily lives. Read here

In the Bluetooth version, as the user moves about, their phone connects with others within a certain range. A ‘Bluetooth handshake’ would take place in which connected phones exchange and each store a unique ‘key’ signifying physical proximity. In the UK, when users subsequently display symptoms, they may choose to allow the app to inform the NHS, which would then alert other app users whose smartphones hold the infected person’s key, indicating that those other users should self-isolate. The key would be anonymous and would not reveal the personal identity or location data of the infected individual to those receiving alerts.

To facilitate automated contact tracing, Apple and Google are collaborating to release interfaces, enabling Android and iOS devices to work together using apps from public health authorities.

How effective is it?

Although elementary, automated contact tracing has significant practical limitations. Bluetooth is an imprecise tool, and it risks false positives such as proximity through a wall. Necessarily it is ‘blind’ to disease transmission in spaces vacated by infected individuals moments before, where no Bluetooth handshake between handsets would take place. Crucially, automated contact tracing relies on uptake. In the UK, 60% of the population would need to download the app for it to make a positive difference, and with 20% of Britain’s population estimated not to own a smartphone and many older devices with limited app capability, many people would be excluded.

A further difficulty arises from the multiplicity of contact tracing apps currently under development – how will they work together? Moreover, once international travel resumes, will national contact tracing apps be interoperable? Finally, there is a risk that automated contact tracing will be seen as a panacea by ‘fanboys’ for utopian technological solutions, whereas in reality, it can only be part of the answer, along with adequate infection testing and traditional confirmatory contact tracing, which are essential components of any useful roll-out.

Authoritarian regimes around the world have been quick to use the pandemic to restrict their citizens’ freedoms, with China introducing a “traffic light” system to control citizens’ movements, and Russia deploying aggressive surveillance methods to enforce lockdown. Even in more libertarian states, contact-tracing apps risk morphing into ‘immunity passports’ determining access to amenities and further widening the ‘digital divide’.

Against this background, automated contact tracing has raised acute privacy concerns. Whereas many prefer a decentralised model where the Bluetooth handshake keys are stored only on a user’s handset, many health authorities around the world, including the NHS, prefer centralised records of anonymised data. However, centralised systems permit re-identification by governments or even hackers. In the UK, such concerns were highlighted when a draft Government memo was leaked in March suggesting ministers may be empowered to order the re-identification of individuals from their smartphone data where it was proportionate.

The rise of big tech monetising healthcare data

Nathalie Moreno, partner at Lewis Silkin, discusses the disruption and monetisation of healthcare data by big tech. Read here

To reduce such risks, Apple and Google have limited the operability of their proposed interface where centralised systems are created. The UK, meanwhile, has decided to press on with a centralised system, believing they have bypassed the deliberate limitations imposed by Apple and Google, albeit at a cost to phone battery life, and necessitating that screens remain unlocked, itself risking data security.

Beyond the pandemic, the UK Government’s approach may fuel pre-existing concern over excessive state surveillance powers arising from the Investigatory Powers Act 2016 (the so-called ‘Snooper’s Charter’), and whether the UK’s level of personal data protection is essentially equivalent to that of the EU. This would further jeopardise the prospects of an ‘adequacy decision’ from the European Commission at the end of the Brexit transition period, hindering personal data flows from Europe to the UK.

Data protection laws – help or hindrance?

In a straight contest between health and data privacy, polls show the public in favour of allowing government to use mobile phones to track coronavirus sufferers and inform others of potential infection, and regulators have been at pains to say that data protection laws are not incompatible with public health safety. Both the UK’s Information Commissioner and the European Data Protection Board (EDPB) have expressed their support for a data-driven solution as part of the response to the health emergency.

To ensure proper consideration of privacy implications and build public trust in contact tracing apps, the ICO has a blog for those developing technological solutions, focusing on transparency, fairness and proportionality. The ICO also issued a statement about the contact tracing app under development in the UK, recognising the role that data can play in beating COVID-19 and indicating that it had been working with NHSX regarding transparency and governance.

The EDPB, too, has emphasised the GDPR’s flexibility, rejecting any suggestion of incompatibility between public health safety and fundamental human rights and freedoms. In April, the EDPB issued guidelines clarifying the proportionate use of location data and contact tracing tools, but warned that such was the grave privacy intrusion of systematic and large scale monitoring of location and contacts, though legally undertaken on public interest grounds, only voluntary adoption could legitimise it. Those who cannot or decide not to use a contact tracing app should suffer no disadvantage, and GDPR principles of data minimisation, storage limitation and purpose limitation should be observed.

Has Brexit made UK data protection and the right to privacy more uncertain?

Brexit has complicated the UK’s stance on data protection and consumers’ right to privacy. Where the country goes now will depend on a deal with the EU — will politicians stick with a strong stance on a right to privacy or will they pivot? Read here


Despite the controversy surrounding it, data protection law is remarkably malleable. Although the legislative framework is complicated, there is a path through it which legally permits the potentially life-saving benefits of automated contact tracing, but simultaneously acts as a bulwark against authoritarianism. With the NHSX app being trialled on the Isle of Wight before national roll-out in weeks, it remains to be seen whether the practical data protection dilemmas such apps face can be adequately overcome to restore a semblance of normality and allow the UK and the rest of the world to begin the path to recovery after this extraordinary period.

Written by Andrew Watson and Julian Hayes, legal assistant and partner at BCL Solicitors LLP


Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com