Last Friday (25 Septemeber 2020) the Government released its contact tracing app (the “App”) which, at the time of writing, has already been downloaded 10 million times. The App is designed to allow people to check into venues (helping users and businesses comply with their new obligations in the process – see our summary: here), and alert users if they have come into contact with anyone who has tested positive for COVID-19.
The nature of a contact tracing App was always going to raise some interesting data protection questions, and we discussed these in a previous article before the App was released. The App is now up and running, using a de-centralised system of storing data (i.e. storying data on each person’s handset), rather than storing it in a centralised Government server, as was originally proposed. Therefore we have re-visited those data protection questions to examine how the App intends to succeed in its purpose, whilst remaining compliant with data protection legislation.
How does the App work?
The App has two key functions: (1) contact tracing; and (2) venue check-in. The contact tracing function works through a Bluetooth connection with other users’ handsets and a scoring algorithm. Staying within a certain distance of another user for 5 minutes grants a corresponding points score. If enough points are accumulated with the same person, and either person then enters a positive test into the App, the other person is alerted, and advised regarding self-isolation and/or getting a test.
The check-in function works by users scanning the QR code at a venue to log that they have been there. If there is subsequently an outbreak attributed to that venue on any given day, the App will alert those who checked into that venue on the day.
What are the concerns about the App and data privacy?
The overarching concerns relating to the App concern personal data: what data would be required, what the data would be used for, and would the data be used for reasons other than combating the spread of COVID-19.
What is “personal data”, and “special category personal data” and why is it important?
“Personal data” is any information relating to a living person. This includes data such as names, contact details and location data. There is also “special category personal data”, which includes details such as genetic data and health data, and processing such types of data is subject to more stringent rules than standard personal data.
Such information is highly personal, and it is clear why many would have concerns about any system which holds this information on them, especially special category personal data. On the other hand, without personal data, the App would not be able to function properly and serve its purpose as a track and trace tool, so a balance needs to be struck.
What does the App need to do to comply with data protection laws?
Regardless of the pressing need for the App due to COVID-19, the Government must still comply with data protection laws in relation to any personal data which the App collects and processes. This means that the Government needs a lawful basis for it to collect and process the personal data.
In the case of personal data, the Government is relying on Article 6(e) of the General Data Protection Regulation (“GDPR”) – performance of a task carried out in the public interest – as its lawful basis for processing. In relation to special category personal data, the Government is relying on Articles 9(2)(g) – 9(2)(i) of the GDPR, which allows it to process special category personal data on the grounds of processing for reasons of public interest in the area of public health.
The App also has a number of other requirements to meet under data protection laws, such as:
- the personal data collected must be limited to what is adequate, relevant and necessary (Article 5(1)(c) of GDPR); and
- the personal data must be stored for no longer than is necessary for the purposes for which it was originally collected (Article 5(1)(e) of GDPR).
Does the App comply with the requirements of the GDPR?
The Privacy Notice for the App claims that it collects as little personal information as possible, with only the following types of data being considered “personal data”:
- the postcode district you provide when you install the App (notably, you do not have to enter a name, email address or other contact details);
- the symptom information you enter onto the App;
- the QR codes of the venues that you scan into the App; and
- the codes which are generated for contact tracing purposes to apply the scoring algorithm mentioned above.
The data which is collected therefore does seem to be relevant for the purpose, and limited as far as possible.
Special category personal data (such as symptoms and test results) can only be entered into the App by the user manually. If a user enters a positive test result, they are then asked for their further consent for anyone they have been in contact with to be alerted. The alert does not state an origin, and the App claims there is no way to trace an alert back.
The App retains the QR codes for 21 days, which correlates with the advised incubation and infection period for COVID-19. The daily codes generated by the App (which interact with other devices) are retained for 14 days. These periods would seem to be no longer than is necessary for the purpose on which data was collected. Each user can also choose to delete the App, delete the existing personal data, and prevent any further processing. This assists with compliance with the data retention elements of the GDPR.
How does the data protection compare with manual contact tracing?
The type and amount of data collected by the App certainly appears more secure, and less of a privacy concern than manual contact tracing (for example, adding your name and mobile number to the list at a pub).
Manual tracing collects and processes more identifiable data such as names, address and contact details. Such collection and processing is also often far less secure, with details being taken in writing by private businesses and their employees, making it harder to guarantee that data protection principles such as minimal data processing and retention are complied with.
Whilst any conclusion would be subject to the actual security measures and use of the data by each individual business, in principle using a centralised system should be more secure and infringe on a person’s data privacy in a much more reduced manner.
So are concerns about the App and data privacy well founded?
Overall, whilst the long-term assessment of the App is still to be made after it has been in operation for a while, it seems that the efforts to minimise its data protection impact on users and to make it as un-intrusive as possible, have been a success.
Whilst every person’s attitude to sharing this type of personal data is different, it is hard to imagine a way in which the objective of a track and trace system could be achieved using any less personal data.
Our initial article concluded by saying that the public’s use of any contact tracing app would be based on trust, and sufficient security measures. Given the App so far has only roughly one sixth of England using it, trust will still need to be built for the Government to make the App as effective as possible.
If you have any questions on the content of this article, please contact a member of our Data Protection Team by email or by calling 01603 610911.