1.Covid-19 emerged in late 2019 in the city of Wuhan in Hubei province, China. Its origins are yet to be confirmed. It spread quickly through the population in Wuhan and to slow transmission the Chinese Government implemented a strict “lockdown” of the city and later the province. As the virus spread internationally, other countries introduced their own lockdowns, although the restrictiveness of the measures varied and few matched the intensity of the Chinese approach.
2.South Korea avoided imposing a blanket lockdown through a mass testing regime and tracing the contacts of those who had been infected so they could self-isolate and break the chain of transmission. This included the use of a contact tracing app but was combined with extensive manual contact tracing. With just 255 deaths as of 5 May 2020, and daily life largely proceeding as normal, it is widely recognised that much can be learnt from South Korea’s response.
3.The Government announced on 5 May 2020 that the UK had passed 29,000 confirmed deaths from Covid-19, a similar amount to Italy and second only behind the United States in terms of the total death toll. The privacy concerns about the contact tracing app are certainly pertinent to human rights, especially Article 8, which protects the right to private and family life. However, Governments also have a responsibility to protect Article 2 ECHR, the right to life. If the app demonstrably protects lives and can help to ease the constraints of a lockdown, then this is a very relevant factor in assessing the proportionality of any interference with the right to a private life under article 8 ECHR. However, any contact tracing must only interfere with the right to privacy to the strict extent necessary to achieve its objectives of combatting the disease, so robust privacy protections will be important and where exactly the line is drawn is a matter of debate.
4.Contact tracing is one way of trying to control and track the spread of the virus. It involves notifying individuals when they have come into contact with others who may have been exposed to the Covid-19 virus and giving them appropriate advice, for example to get tested and or to self-isolate, in order to minimise the further spread of the virus. Several countries are using smartphones to speed up the process of contact tracing.
5.Digital contact tracing generally works by an app on a user’s smartphone registering and storing details of another smartphone when it is within a defined distance for a certain period of time and if a user tests positive for (or is suspected of having) the virus, the app notifies these contacts that they may themselves be affected. There are a number of different approaches to digital contact tracing which have been discussed at length by academics in recent weeks. Some of the key differences, which have implications for privacy, are discussed briefly below.
6.A major area of discussion around the development of the app has been whether the NHSX should adopt a “centralised” or “decentralised” approach to data storing and sharing. The two models are explained briefly below:
The Information Commissioner’s Office, privacy experts and organisations, as well as the European Parliament and the European Data Protection Board (EDPB) have indicated a preference for a decentralised approach. It is considered that this would provide greater protection against the abuse of people’s data than apps which pull data into centralised pots and have a higher risk of security breaches as well as being much more invasive into the private lives of individuals. There are heightened risks with centralised models with their “potential to de-anonymise data and develop profiles of individuals’ social interactions.” However, it is asserted that a centralised approach has “public health advantages,” in that, it allows health authorities to analyse how the virus is spreading. In turn that allows them to help prevent the spread of the virus (and therefore deaths caused by it), to allow hospitals in virus hotspots to prepare for a surge in cases, and to lessen the invasive nature of the lockdown provisions to the extent possible. It also allows them to improve the efficacy of the app in future versions.
7.The developers of the NHS tracking app have stated that the purpose for choosing a centralised database model over the more data-secure and private de-centralised model is that it allows for greater data analysis. It is not clear that the additional functionality of a centralised data system outweighs the risks inherent in such a model. Such risks may include:
8.It has been noted that the UK is an outlier. While giving evidence to the Committee, Matthew Gould and Dr Michael Veale, lecturer in Digital Rights and Regulation, University College London, both accepted that the technical difficulties of switching the current model to a de-centralised system were manageable. The NHS tracking app asks for post code area information. In some parts of England there are less than 10,000 people in a post code area. Three or four ‘bits’ of information can be can enough to identify individuals. If NHSX were to add location data to the current model, could easy and consistent individual identification become possible, especially with a centralised data system? The Committee expresses concern that the centralised model is being proposed without there having been the opportunity for Parliamentary debate and consideration of the alternative.
9.Another difference between approaches is how to notify the app of an infection. This could be done via self-reporting into the app; by uploading confirmation of an approved test; or health authorities themselves uploading results onto the app server. Relying upon self-reporting alone may carry the risk of false alerts, thereby impacting on other people’s rights if they have to isolate unnecessarily.
10.Another area of discussion has been around whether a contact tracing app should be voluntary or mandatory to use. The Information Commissioner, the European Data Protection Board (EDPB) and other privacy experts have indicated that the use of contact tracing applications should be voluntary. The EDPB have said that this would imply that “individuals who decide not to or cannot use such applications should not suffer from any disadvantage at all.” Some academics in the UK have called for protection for groups who do not have access to smartphones to ensure that they are not penalised for not using the app.
11.The UK Government is going ahead with its plans to release a contact tracing app. A Government press release dated 4th May 2020 contained details of the first phase of the Government’s “test, tack and trace programme,” which includes roll out of the NHS Covid-19 App in the Isle of Wight. The Government’s intention is to use the app as a tool to “minimise the spread of Covid-19 and move towards safely reducing lockdown measures.”
12.We took evidence from Matthew Gould, CEO of the NHSX, the Information Commissioner, Dr Orla Lynskey and Dr Michael Veale and others on the UK’s plan to release a contact tracing app. We are grateful for their evidence. We were also assisted by a specialist advisor Adam Wagner with this inquiry.
13.The NHSX app will use the centralised model for data storage and sharing. It will work by logging the distance between an individual’s phone and other phones nearby that also have the app installed using Bluetooth Low Energy. Unless a user becomes ill, this log will be stored on an individual’s phone and the data deleted every 28 days. Matthew Gould, Chief Executive of NHSX, told us that users who become ill will then have the choice to upload the information from the app onto the central server. Users will also be able to give their anonymous contacts to the central database which will identify which contacts are at risk and notify them accordingly. It will also allow the NHS to use the anonymised data to understand how the virus is spreading.
14.While a recent poll has shown that 65% of people in the UK are in favour of having an app to track the virus, a number of privacy concerns remain with the approach being adopted by the UK. The main concerns with the NHSX’s current approach are outlined below:
15.The overall Government response to Covid-19 raises core human rights considerations. In addressing the virus, the Government is required to protect the right to life, guaranteed by Article 2 of the European Convention on Human Rights (EHCR). In doing so, many countries, including the UK have placed severe restrictions on individuals’ movements by enforcing “lockdowns”, which themselves have wide ranging implications for human rights. The lockdown measures are a significant interference with the right to family and private life, (Article 8 of ECHR), the right to free movement (Article 12 International Covenant on Civil and Political Rights 1966), freedom of assembly and association (Article 11 ECHR), freedom of religion or belief (Article 9 ECHR), the peaceful enjoyment of possessions (Article 1 of Protocol 1 ECHR) and the right to education (Article 2 of Protocol 1 ECHR). One way of easing lockdown restrictions is to seek to contain the virus through a variety of other techniques including digital contact tracing, which itself will interfere with the right to private life (Article 8 ECHR) as well as requiring a very careful analysis of compatibility with data protection and privacy law.
16.In the UK privacy law is protected by Article 8 ECHR, the common law duty of confidence, the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (which has equivalent protections to the GDPR under the “UK GDPR” that will succeed the GDPR after Brexit transition).
17.The seven data protection principles under the GDPR (and mirrored by the UK GDPR) provide a basis for considering the issues which need to be addressed before an app is released:
a)Data minimisation: The processing of personal data should be limited to what is necessary.
b)Purpose limitation: organisations need to be clear about the purposes for processing data from the start of data processing and collection. This must be specified in privacy information provided to individuals.
c)Storage limitation: Personal data must not be kept for longer than is necessary for the purposes for which the personal data is processed.
d)Integrity and confidentiality: Appropriate security measures must be in place to protect personal data e.g. from accidental breaches.
e)Lawfulness, fairness and transparency: Personal data must be processed in a transparent manner and data organisations must be clear about how they will use personal data.
f)Accountability and accuracy: Organisations must take responsibility for what they do with personal data and must take all reasonable steps to ensure that personal data held is not incorrect.
3 UK Parliament POST, , 1 May 2020
4 European Parliament, , 15 April 2020; European Data Protection Board, , Adopted 21 April; Written evidence from Professor Lorna McGregor et al ()
5 Written evidence from Professor Lorna McGregor et al ()
6 Oral evidence taken on 4 May, HC (2019–21) 265, [Matthew Gould]
7 Oral evidence taken on 4 May,
8 See, Information Commissioner’s Office, , page 4, point 9, 4 May 2020.
9 European Data Protection Board, , Adopted 21 April.
10 Paper which includes a proposal for a draft bill by Professor Lilian Edwards and Co, see “
11 , Department of Health and Social Care press release, 4 May 2020
12 Oral evidence taken on 4 May,
13 National Cyber Security Centre, , 4 May 2020
14 The Ada Lovelace Institute’s found that there is no public study into the effectiveness of digital contact tracing and its key finding was that there is “currently insufficient evidence to support the use of digital contact tracing as an effective technology to support the pandemic response,” 20 April 2020.
15 Written evidence from Professor Lorna McGregor et al ()
16 Oral evidence taken on 4 May, HC (2019–21) 265,
17 Ada Lovelace Institute, ? 20 April 2020
18 During the transitional period, until 31 December 2020, the GDPR (EU General Data Protection Regulation) applies to the UK. After this time, the same data protection principles will continue to apply, but flowing from the Data Protection Act 2018 and referred to as the “UK GDPR”.
19 For more information on these, see the Information Commissioner’s Office, Guide to the General Data Protection Regulation (GDPR),
Published: 7 May 2020