NHS Contact-Tracing App Could Break Privacy Law, Government Warned

The UK Parliament’s Joint Committee on Human Rights has announced that it will publish a report on 8 May detailing its findings on the NHS’s contact-tracing app, and has issued early warnings that the app might breach data privacy laws in its current state.

The app is currently being trialled on the Isle of Wight, and operates by exchanging Bluetooth signals between nearby phones as their users come into contact. Should one user later be diagnosed with COVID-19, all users with whom they have come into contact will then be automatically alerted to the possibility that they have been exposed to the virus.

However, campaign groups have taken issue with the data collection methods utilised by the app, such as its reliance on collecting the Bluetooth keys of both infected individuals and their contacts to be stored in a centralised database of information that the NHS will be able to access. This model is at odds with the more widely used Apple-Google exposure notification tool, which heavily restricts the amount of data exchanged.

The Human Rights Committee has called for new legislation to guarantee data privacy and human rights protections, and an independent body to oversee the effective security of the app and any data associated with the contact-tracing process.

Elizabeth Denham, the information commissioner, revealed while giving evidence to the Committee on Monday that her office had not been given a data protection impact assessment from the government, which is a legally required step for organisations that embark on “high risk” data processing.

As of Thursday, the ICO has still not received an impact assessment even as trials have expanded to members of the public residing on the Isle of Wight. Jim Killock, chief executive of the Open Rights Group, commented: “This means NHSX are proceeding unlawfully with their trials”.