Contact tracing apps: is the data privacy risk worth the benefit?
As a key part of the next phase of fighting the pandemic, the Government are proposing the use of “contact tracing” apps. These apps will aim to track the spread of COVID-19 and allow for people to be notified if they have been in contact with anyone who has tested positive for the virus.
In the fight against the COVID-19 pandemic, we have all seen the rights and freedoms that we take for granted on a day to day basic being eroded in the name of fighting the virus. However, the vast majority of people have accepted the current lockdown measures as being completely justified and necessary to attempt to control and fight off the virus, safe in the knowledge that those freedoms will return one day (hopefully sooner rather than later).
As a key part of the next phase of fighting the pandemic, the Government are proposing the use of “contact tracing” apps. These apps will aim to track the spread of COVID-19 and allow for people to be notified if they have been in contact with anyone who has tested positive for the virus. The benefits are clear – jumpstarting the economy, returning to a more normal way of life – but the downsides and privacy impact such an app will have on individuals creates plenty of data protection questions which will need to be answered.
How will contact tracing apps work?
It is currently proposed that contact tracing apps will work by using short-range Bluetooth to log each time that someone with the app installed comes into contact (for at least 15 minutes) with someone else using the app. That log of contacts will be stored on the individual’s phone.
If a person who has been using the app develops COVID-19 symptoms, they have the option to alert the NHS through the app, which will then notify each app-user who has been in contact with that person and recommend certain precautions. Crucially, the app is not going to inform people which individual they have been in contact with had COVID-19 symptoms.
A trial of the NHS contact tracing app is due to commence in the Isle of Wight this week. Once implemented, it is estimated that at least 50% to 60% of the population would need to be using the app for it be effective.
How does data protection apply to contact tracing apps?
Guidance released by the European Data Protection Board (“EDPB”) on the use of contact tracing apps makes it clear just how great of a data protection impact these apps can have when it states “The systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.”
Whilst this type of intrusion into individuals’ privacy would not be acceptable in normal times, it goes to show the nature and extent of the global pandemic that such technology is even being considered. Even at the start of the COVID-19 pandemic, when reports of contact tracing apps being used in places such as South Korea were emerging, the idea of these apps being used in the UK seemed very unlikely.
However, the COVID-19 pandemic does not mean that data protection law no longer applies and the Government does not have free reign to do as it pleases with our personal data. The EDPB guidance states that “data protection is indispensable” when searching for solutions to assist the management of the pandemic. If anything, this use of contact tracing apps will be the greatest test of our data protection legal framework yet.
On what basis will personal data be processed?
Under the General Data Protection Regulation (“GDPR”), for the processing of personal data to be lawful, at least one of the six lawful basis for processing must apply. With contact tracing apps, it appears that the Government will rely on a combination of two of those lawful basis for processing: consent (article 6(a) GDPR) and performance of a task carried out in the public interest (article 6(e) GDPR).
It is not currently proposed that anyone would be forced to use the app without their consent and it is hard to imagine such an approach being accepted in this country. However, achieving use of the app by 50-60% of the population by obtaining consent each time may prove very difficult. Therefore, to say that consent will always be required would probably be foolish and there may come a time where the Government seeks to rely solely on the public interest ground for processing (article 6(e) of GDPR) and no consent is required.
What are the other data protection issues?
For many people, there may be some concern that the Government will use or disclose their personal data for other purposes than solely fighting the spread of the virus.
From a data protection perspective, collecting the contact tracing information for the strict purposes of preventing and reducing the spread of the COVID-19, and then using that personal data for any other purpose (for example, crime prevention), would not be permitted under data protection law. The NHS also claims that people will be able to delete the app and all of their associated data whenever they want.
Another big issue will be the potential for hacking and data breaches. It is very difficult to truly anonymise a data set which includes location data points and contact information, even where the data does not include any typical identifiers such as names and addresses. If the data collected through the contact tracing apps was to fall into the wrong hands, it is possible that it could be reverse-engineered in order to identify individuals and the privacy impact would be significant. The Government will therefore have to ensure that property security measures are being taken.
Is the privacy risk worth the benefit?
For the Government to achieve its stated target of 50% of the population using its contact tracing apps, a majority of people will have to buy in to the benefits of contact tracing outweighing the risks.
Therefore, the Government will have sell the public on the benefits and how, specifically, the use of the app will help reduce the spread of the virus. The key benefit, and one which the Government will surely use as a main selling point, is the return to more normal lifestyle.
At the same time, in order to obtain proper consent under GDPR, the Government must allow people to make fully informed decisions as to whether they use the app. This will include providing details of the risks involved by setting out exactly what the data is going to be used for, for how long, how it can be deleted and how it will be protected.
Overall, whilst it is amazing that we have come to a point where the idea of the Government tracking our movements does not seem completely unacceptable, it would not be a surprise to see a majority of the population decide that the benefits of contact tracing outweigh the risks, at least initially.
However, the continued use of the app by the public will be based on trust in the security measures that are put in place and that the data will only be used for a very limited purpose. If the Government loses the public’s trust by suffering a data breach, for example, it is likely that the numbers of app-users would show a sharp decline and any benefit of the app would be lost.
If you have any questions on the content of this article, please contact a member of our Corporate & Commercial Team by email or by calling 01603 610911
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
The Employment Rights Act 2025 is expected to come into force tomorrow (18 December 2025)
After an extended period of back-and-forth amendments between Parliament and the House of Lords, on 16 December 2025, the ERB finally received approval from the House of Lords, with the formality of Royal Assent due to take place tomorrow (18 December 2025). Head of LP Employment, Dan Chapman, explains...
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
The Employment Rights Act 2025 is expected to come into force tomorrow (18 December 2025)
After an extended period of back-and-forth amendments between Parliament and the House of Lords, on 16 December 2025, the ERB finally received approval from the House of Lords, with the formality of Royal Assent due to take place tomorrow (18 December 2025). Head of LP Employment, Dan Chapman, explains...
Charity of the Month: The Matthew Project
Leathes Prior is delighted to be supporting The Matthew Project as our Charity of the Month for December 2025. The Matthew Project supports young people and adults across Norfolk, Suffolk, and Essex to overcome issues around drugs, alcohol, and mental health, empowering them to rebuild confidence and lead fulfilling lives.
Leathes Prior’s Milan Pandit appointed President of the Norfolk & Norwich Law Society
Leathes Prior Solicitors is proud to announce that Milan Pandit, Solicitor in our Corporate & Commercial Team, has been appointed President of the Norfolk & Norwich Law Society (NNLS) for 2025/26.
Commercial Lease Renewals: A guide for Landlords & Tenants
Commercial lease renewals are a topic that every commercial landlord and business that rents commercial premises should have at the forefront of their minds. It is essential for good succession planning, though it is often neglected until the expiry of an existing lease term is looming or once the existing term has come to an end and the tenant is holding over. In this article, our newly qualified solicitor, Maggie Berry explores the process that landlords and tenants can expect when navigating this complex area of law.
Our Guidance, Your Legacy: What is a Will, and why should I make one?
Not only is a Will one of the most important steps you can take to protect your loved ones and ensure your wishes are respected, but it also limits the likelihood of a claim/dispute following your death. To ensure your loved ones and the causes you care about benefit from your estate, a Will is essential to ensuring this happens. Find out more in this article.
Lease extensions: The essentials to getting started
Extending your lease can seem complex, but taking the right steps early can make the process much smoother. Jake Mowatt, Associate and Harry Smith, Trainee Solicitor in our Residential Property Team outlines the key essentials every leaseholder should understand prior to extending their lease.
Upcoming changes to bringing employment law claims: What these mean for you
The highly anticipated Employment Rights Bill (ERB) is set to increase the time limits in which employees can bring an employment tribunal claim. Gareth Stevens & Rose Woolterton explain what this means for employers & employees.
Service Charges in Residential Leases: FAQs
Service charges are forever a hot topic in the world of property disputes, and it remains one of the most contentious areas between freeholders and leaseholders, particularly in long residential leases. Danny Turpin, Associate, discusses frequently asked questions regarding service charges on long residential leases.
Leathes Prior winners in nine categories in the prestigious Legal 500 Future Laywer Survey
We are thrilled to announce that the firm has placed once again in the Legal 500 Future Lawyer survey as No.1 in the UK for our Social Life; a ranking we have held in the survey for seven years out of the past nine years.
Jess’s Rule – New Guidelines for GPs
A new initiative is being rolled out across GP practices across England in the hope of preventing serious illnesses being missed by GPs where patients present with the same, or deteriorating, symptoms on multiple occasions. Kimberley Nelson in our Personal Injury & Clinical Negligence Team discusses new guidelines for GPs.
Leathes Prior are excited to announce that four Trainee Solicitors qualify at the firm
Leathes Prior is excited to announce that four of our amazing trainees, Eleanor Chapman, Maggie Berry, Alex Robinson, and Georgia Sartin, have successfully completed their training contracts and are now qualifying as Solicitors at the firm.
