157.The Government announced on 12 March 2020 that it planned to develop a contact tracing app which would alert users if they were in close contact with a confirmed case of coronavirus, indicating that they should self-isolate. More details were released over the following weeks, including that data would be “centralised”, meaning stored on a central database. This contrasts with the “decentralised” model, where contacts are stored on, and notified from, users’ phones. Matthew Gould, CEO of NHSX, the body in charge of developing the app, argued in evidence to the Committee that centralised data could be studied to learn about Covid-19 and the pandemic. However, oral evidence from Dr Orla Lynskey and Dr Michael Veale, and evidence in written submissions to this inquiry urged the Government to move to the decentralised model, as it was more secure in terms of privacy. The app’s roll-out was delayed and, after trials on the Isle of Wight, the Government announced that it would not be ready until “winter”, and would move to the decentralised model developed by Apple and Google.
158.On 13 August, after several contradictory reports, the Government announced that a version of the app was being tested. There are reportedly still issues with recording contacts but, the app will have some additional features, such as personalised risk scores.
159.Whilst development of the app progresses, contact tracing carried out by staff employed on a national and local basis continues. There has been less discussion around privacy concerns of this method, but the concerns are broadly similar.
160.The Committee released a report in May 2020, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing, which identified issues with privacy and human rights around the first iteration of the app. The report called for privacy safeguards to be put into legislation and a proposed bill was produced to that effect. This proposed legislation set out: limitations on what data could be used for; how long it could be stored; a requirement for it to be deleted; prohibitions on it being shared; and arrangements for an independent oversight body. Despite other countries, such as Australia, passing similar legislation, the Government rejected our proposals stating “that existing legislation and our commitment to transparency, security and privacy provide sufficient protection and clarity to the public”.
161.We are surprised by the Government’s position given that the evidence submitted to our inquiry showed there were concerns about privacy. This lack of trust was exacerbated by high profile data breaches in the contact tracing system. The Government admitted that it did not follow the GDPR when it began manually tracing contacts of those infected with coronavirus before conducting a Data Protection Impact Assessment. Users’ trust will affect uptake and therefore the effectiveness of the app; Matthew Gould stated that the app would be “optimal” with 80 percent of smartphone users installing it. The Government cannot afford to alienate those who are concerned about privacy if it hopes to use the app to prevent increases in infection rates. In whatever form, the app constitutes an interference with an individual’s Article 8 ECHR right to private and family life and if the app is not effective at reducing the spread of Covid-19, and if privacy protections are not adequate then this interference will not be proportionate.
162.There has been little public debate of the privacy implications of manual contact tracing, but in some ways, the information gathered is more personal. Rather than simply recording that two phones were within two metres for 15 minutes, information gathered by a human contact tracer could feasibly be names of the people who were in contact, how long the contact was for and where they met. Additionally, this data is still processed and stored digitally, with most people being asked to fill in an online form. All of this means that privacy concerns similar to those for digital contact tracing still exist and that data safeguards need to be put in place.
163.There is also a risk around information gathered by businesses as part of track and trace. There have been reports of customers being harassed after people obtained their numbers from sign-in books left on display in pubs and restaurants. These businesses must comply with the GDPR and the Government has provided guidance, but concerns remain over whether this data is being properly handled.
164.The same test applies here as to data collected through an app: data collection and storage can only be proportionate if sufficient safeguards are in place and if the overall justification to collecting that data remains valid - i.e. the test and trace system is an effective and proportionate means of helping to combat Coronavirus. Adequate safeguards must be in place to protect the right to privacy and to protect people’s data; if such safeguards are not in place or are not working in practice, then these interferences will not be proportionate.
165.It is welcome that the Government is now developing a decentralised app as the evidence we received confirmed that this model alleviates some of the privacy concerns. However, the majority of privacy concerns persist with this model and we continue to believe legislation would provide security for users and increase uptake. Evidence to our inquiry showed that there is concern information is being shared with private companies. For example, there were reports of a Government contract with McKinsey, which would have allowed the company to keep personal data for seven years. DHSC clarified that the contract ruled out any personal data being shared without the Department’s consent. However, this response failed to explain why it would ever be considered appropriate to allow private companies to keep personal information for seven years without a public health justification. Ambiguities such as this would be dealt with by a legal requirement that any personal information shared with the private sector can only be used and stored for defined purposes directly relating to the public health emergency and a limited duration. Similar legal provisions should prohibit sharing within the public sector for purposes unrelated to combating Coronavirus. Further, the type of data that will be gathered should be defined, as evidence in submissions has raised concerns about ‘mission creep’. Indeed, Matthew Gould’s comment about future versions of the app being able to gather location data lends credence to these concerns.
166.Various evidence submissions raised concerns about the risks of digital exclusion, particularly for older and disabled people. The Government assured us the app would not be made compulsory, but if it becomes a condition for admission to certain venues, or places of employment, then it risks being de-facto compulsory and raising discrimination and equality concerns, particularly if certain groups are disproportionately affected by such measures. This would risk discriminating against those without phones or with limited digital skills. The latest version of the app would give people a risk score. It is important that the Government ensures that measures are in place so that those who do not have access to the app are not discriminated against in accessing services. Measures should also be put in place so that those who do not have access to the app can also receive information in respect of their risk of infection from contact with others with Covid-19 as part of a multi-faceted test and trace system.
167.It is welcome that the Government decided to stop the development of the centralised model for their contact tracing and is now working on a decentralised model instead. However, privacy issues remain. To build trust with users, which has been shaken by high-profile missteps, the Government should introduce legislation which defines what data will be collected, how long it can be held, when it will be deleted. Such legislation should include a ban on contact tracing data being shared for any purpose other than combating the spread of Coronavirus.
168.Manual contact tracing is the main component of the UK’s test, track and trace system. This still involves data being collected; indeed, that data is arguably more sensitive than that collected by the app. Whether that data is gathered digitally or manually, the legislation should limit how long manually gathered data can be held, define what type of information can be gathered, confirm when it will be deleted, and restrict it from being shared for any purpose other than combating the spread of Coronavirus.
185 [Matthew Gould]
186 [Dr Michael Veale and Dr Orla Lynskey]
187 Supplementary written evidence from Dr Orla Lynskey, Department of Law, London School of Economics, and Dr Michael Veale, Faculty of Laws, University College London (); Liberty ()
188 “Coronavirus: Health minister says app should roll out by winter”, BBC News, 17 June 2020
189 “Coronavirus: England’s contact tracing app trial gets under way”, BBC News, 13 August 2020
190 Joint Committee on Human Rights, Third Report of Session 2019–21, , HC 343/ HL Paper 59
191 Letter to Rt Hon Matt Hancock MP, Secretary of State for Health and Social Care, Department of Health and Social Care, , 7 May 2020
192 “Government releases draft legislation for Covidsafe tracing app to allay privacy concerns”, The Guardian, 4 May 2020
193 Letter from the Lord Bethell, Parliamentary Under Secretary of State for Innovation, Department of Health and Social Care, , dated 16 July 2020
194 Open Rights Group, Big Brother Watch, Privacy International, Deighton Pierce Glyn (), Open Rights Group ()
195 “Coronavirus: Serco apologises for sharing contact tracers’ email addresses”, BBC News, 20 May 2020
196 “Coronavirus: England’s test and trace programme ‘breaks GDPR data law”, BBC News, 20 July 2020
197 Oral evidence taken before the Science and Technology Committee on 15 October 2013, HC (2019–21) 136, [Matthew Gould]
198 Department of Health and Social Care, , 27 May 2020
199 “Test and trace is being used to harass women - already”, The Telegraph, 15 July 2020
200 Department of Health and Social Care, , 2 July 2020
201 Member of the public ()
202 See “McKinsey banks £560,000 consulting on “vision, purpose and narrative” for new test and trace body”, Civil Service World, 18 August 2020
203 Professor Lorna McGregor et al ()
204 [Matthew Gould]
205 Greater Manchester Disabled People’s Panel (); Just Fair (); Professor Lorna McGregor et al (); Equally Ours ()
Published: 21 September 2020