157.The Government announced on 12 March 2020 that it planned to develop a contact tracing app which would alert users if they were in close contact with a confirmed case of coronavirus, indicating that they should self-isolate. More details were released over the following weeks, including that data would be “centralised”, meaning stored on a central database. This contrasts with the “decentralised” model, where contacts are stored on, and notified from, users’ phones. Matthew Gould, CEO of NHSX, the body in charge of developing the app, argued in evidence to the Committee that centralised data could be studied to learn about Covid-19 and the pandemic.185 However, oral evidence from Dr Orla Lynskey and Dr Michael Veale,186 and evidence in written submissions to this inquiry urged the Government to move to the decentralised model, as it was more secure in terms of privacy.187 The app’s roll-out was delayed and, after trials on the Isle of Wight, the Government announced that it would not be ready until “winter”, and would move to the decentralised model developed by Apple and Google.188
158.On 13 August, after several contradictory reports, the Government announced that a version of the app was being tested.189 There are reportedly still issues with recording contacts but, the app will have some additional features, such as personalised risk scores.
159.Whilst development of the app progresses, contact tracing carried out by staff employed on a national and local basis continues. There has been less discussion around privacy concerns of this method, but the concerns are broadly similar.
160.The Committee released a report in May 2020, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing,190 which identified issues with privacy and human rights around the first iteration of the app. The report called for privacy safeguards to be put into legislation and a proposed bill was produced to that effect.191 This proposed legislation set out: limitations on what data could be used for; how long it could be stored; a requirement for it to be deleted; prohibitions on it being shared; and arrangements for an independent oversight body. Despite other countries, such as Australia,192 passing similar legislation, the Government rejected our proposals stating “that existing legislation and our commitment to transparency, security and privacy provide sufficient protection and clarity to the public”.193
161.We are surprised by the Government’s position given that the evidence submitted to our inquiry showed there were concerns about privacy.194 This lack of trust was exacerbated by high profile data breaches in the contact tracing system.195 The Government admitted that it did not follow the GDPR when it began manually tracing contacts of those infected with coronavirus before conducting a Data Protection Impact Assessment.196 Users’ trust will affect uptake and therefore the effectiveness of the app; Matthew Gould stated that the app would be “optimal” with 80 percent of smartphone users installing it.197 The Government cannot afford to alienate those who are concerned about privacy if it hopes to use the app to prevent increases in infection rates. In whatever form, the app constitutes an interference with an individual’s Article 8 ECHR right to private and family life and if the app is not effective at reducing the spread of Covid-19, and if privacy protections are not adequate then this interference will not be proportionate.
162.There has been little public debate of the privacy implications of manual contact tracing, but in some ways, the information gathered is more personal. Rather than simply recording that two phones were within two metres for 15 minutes, information gathered by a human contact tracer could feasibly be names of the people who were in contact, how long the contact was for and where they met. Additionally, this data is still processed and stored digitally, with most people being asked to fill in an online form.198 All of this means that privacy concerns similar to those for digital contact tracing still exist and that data safeguards need to be put in place.
163.There is also a risk around information gathered by businesses as part of track and trace. There have been reports of customers being harassed after people obtained their numbers from sign-in books left on display in pubs and restaurants.199 These businesses must comply with the GDPR and the Government has provided guidance,200 but concerns remain over whether this data is being properly handled.
164.The same test applies here as to data collected through an app: data collection and storage can only be proportionate if sufficient safeguards are in place and if the overall justification to collecting that data remains valid - i.e. the test and trace system is an effective and proportionate means of helping to combat Coronavirus. Adequate safeguards must be in place to protect the right to privacy and to protect people’s data; if such safeguards are not in place or are not working in practice, then these interferences will not be proportionate.
165.It is welcome that the Government is now developing a decentralised app as the evidence we received confirmed that this model alleviates some of the privacy concerns. However, the majority of privacy concerns persist with this model and we continue to believe legislation would provide security for users and increase uptake. Evidence to our inquiry showed that there is concern information is being shared with private companies.201 For example, there were reports of a Government contract with McKinsey, which would have allowed the company to keep personal data for seven years.202 DHSC clarified that the contract ruled out any personal data being shared without the Department’s consent. However, this response failed to explain why it would ever be considered appropriate to allow private companies to keep personal information for seven years without a public health justification. Ambiguities such as this would be dealt with by a legal requirement that any personal information shared with the private sector can only be used and stored for defined purposes directly relating to the public health emergency and a limited duration. Similar legal provisions should prohibit sharing within the public sector for purposes unrelated to combating Coronavirus. Further, the type of data that will be gathered should be defined, as evidence in submissions has raised concerns about ‘mission creep’.203 Indeed, Matthew Gould’s comment about future versions of the app being able to gather location data lends credence to these concerns.204
166.Various evidence submissions raised concerns about the risks of digital exclusion, particularly for older and disabled people.205 The Government assured us the app would not be made compulsory, but if it becomes a condition for admission to certain venues, or places of employment, then it risks being de-facto compulsory and raising discrimination and equality concerns, particularly if certain groups are disproportionately affected by such measures. This would risk discriminating against those without phones or with limited digital skills. The latest version of the app would give people a risk score. It is important that the Government ensures that measures are in place so that those who do not have access to the app are not discriminated against in accessing services. Measures should also be put in place so that those who do not have access to the app can also receive information in respect of their risk of infection from contact with others with Covid-19 as part of a multi-faceted test and trace system.
167.It is welcome that the Government decided to stop the development of the centralised model for their contact tracing and is now working on a decentralised model instead. However, privacy issues remain. To build trust with users, which has been shaken by high-profile missteps, the Government should introduce legislation which defines what data will be collected, how long it can be held, when it will be deleted. Such legislation should include a ban on contact tracing data being shared for any purpose other than combating the spread of Coronavirus.
168.Manual contact tracing is the main component of the UK’s test, track and trace system. This still involves data being collected; indeed, that data is arguably more sensitive than that collected by the app. Whether that data is gathered digitally or manually, the legislation should limit how long manually gathered data can be held, define what type of information can be gathered, confirm when it will be deleted, and restrict it from being shared for any purpose other than combating the spread of Coronavirus.
187 Supplementary written evidence from Dr Orla Lynskey, Department of Law, London School of Economics, and Dr Michael Veale, Faculty of Laws, University College London (COV0093); Liberty (COV0092)
188 “Coronavirus: Health minister says app should roll out by winter”, BBC News, 17 June 2020
189 “Coronavirus: England’s contact tracing app trial gets under way”, BBC News, 13 August 2020
190 Joint Committee on Human Rights, Third Report of Session 2019–21, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing, HC 343/ HL Paper 59
191 Letter to Rt Hon Matt Hancock MP, Secretary of State for Health and Social Care, Department of Health and Social Care, regarding Contact Tracing App legislation, 7 May 2020
192 “Government releases draft legislation for Covidsafe tracing app to allay privacy concerns”, The Guardian, 4 May 2020
193 Letter from the Lord Bethell, Parliamentary Under Secretary of State for Innovation, Department of Health and Social Care, regarding Human Rights and the Government’s Response to COVID-19: Digital Contact Tracing, dated 16 July 2020
194 Open Rights Group, Big Brother Watch, Privacy International, Deighton Pierce Glyn (COV0221), Open Rights Group (COV0240)
195 “Coronavirus: Serco apologises for sharing contact tracers’ email addresses”, BBC News, 20 May 2020
196 “Coronavirus: England’s test and trace programme ‘breaks GDPR data law”, BBC News, 20 July 2020
197 Oral evidence taken before the Science and Technology Committee on 15 October 2013, HC (2019–21) 136, Q377 [Matthew Gould]
198 Department of Health and Social Care, Guidance - NHS Test and Trace: how it works, 27 May 2020
199 “Test and trace is being used to harass women - already”, The Telegraph, 15 July 2020
200 Department of Health and Social Care, Guidance - Maintaining records of staff, customers and visitors to support NHS Test and Trace, 2 July 2020
202 See “McKinsey banks £560,000 consulting on “vision, purpose and narrative” for new test and trace body”, Civil Service World, 18 August 2020
Published: 21 September 2020