Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
19 May 2020
13 minutes read

NHS COVID-19 Tracing App – “Nothing To Fear But Fear Itself!”

Is the NHSx App even necessary?

The importance of contact tracing was apparent as soon as the virus manifested itself in the UK, as well as other parts of the world. The objective was that those who had been exposed to it, would be quarantined to guard against spreading the infection, especially considering the exponential rate of the contagion.

However, contact tracing through manual means is resource intensive. Furthermore, although an individual can identify some of those people with whom he or she has been in contact, this becomes much more difficult to do:

  • when an individual has been in public places and does not know the identity of those in close proximity to him or her (eg standing in a shopping queue or on the London Tube)
  • when an individual seeks to recall the different exposure distances and contact times he or she has had with others (eg standing quite close to someone for several minutes, gives rise to a different risk exposure than passing someone in the street) or
  • when an individual starts showing symptoms, and then tries to work out both the pre-symptom and post-symptom contacts (taking into account that the virus could be contagious before the symptoms are apparent)

We only have to consider the following recent news from South Korea, to note the importance of contact tracing to seek to prevent a second wave of infections after lockdown measures are relaxed. Earlier this month, one individual, who subsequently tested positive for COVID-19, visited five nightclubs and bars during one night, with this resulting in a new wave of infections. This resulted in over 2,000 establishments being ordered to be closed for a month, and several thousand individuals being urged to be tested. This took place after the government had relaxed social distancing measures, as the virus was seeming to be under control.

As should be apparent from the above, as well as the rapid spread of the virus in the UK and other countries, manual contact tracing will not curb the spread of the virus. Hence the need for an automated way of undertaking contact tracing to save lives.

Is the NHSx App going to be privacy intrusive?

Privacy concerns with regard to the NHSx App seem to have generated adverse publicity – with some suggestions of the NHSx App potentially leading to a ‘surveillance state’. However, it is important to rebut concerns such as these, by focusing on the reality of the NHSx App, and taking into account the requirements mandated by the government’s Joint Committee on Human Rights.

The amount of data that is collected

The NHSx App only collects a limited amount of personal data, and in fact much less data than many of the apps which individuals are using these days. We only have to consider how much information users share through the use of other commercial app services (viewing the privacy policy for such apps, will make the large scale of data collection and processing apparent), to see the stark comparison with the NHSx App. Yet, millions of individuals adopt a ‘care-free’ approach to installing such commercial apps, due to their perceived utility or entertainment value, without expressing any privacy concerns.

In contrast, the NHSx App collects a much more limited subset of information for safeguarding public health and lives. Furthermore, no GPS location data is gathered. Instead, Bluetooth Low Energy (“BLE”) signal strength connection to other devices running the NHSx App, is collected to provide relational proximity, rather than actual location information (ie the NHSx App is not tracking a user’s specific location). This is achieved by the BLE signal strength providing an approximation of the distance between different devices, and therefore individuals. BLE has the advantage of being a power conserving variant of Bluetooth, to guard against unnecessary battery drain, and is commonly used in smart watches and proximity sensors.

Phone model data is also collected, to allow adjustments to be applied to the BLE signal strength information which is collected, to seek to provide a truer measure of proximity, to take into account that different phone models behave differently with regard to BLE signal strengths. This ties in with the data protection law requirements of processing data accurately.

Users of the NHSx App are also able to choose voluntarily, to provide the first part of their postcode to the NHSx systems (this again, does not identify a user’s address, nor specific location). This allows trend analysis and local hospital resourcing, as mentioned in the section below.

Furthermore, the NHSx App does not gather any information about a user’s name. Instead, a unique random identification number is automatically generated for each user of the NHSx App (the NHSx refers to this as the “Sonar ID”). An encrypted form of the Sonar ID (which the NHSx refers to as the “Transmitted ID”) is exchanged between devices which come into each other’s proximity. The NHSx App also refreshes each user's Transmitted ID on a daily basis, with a new randomly generated identification number to further safeguard privacy. Cryptography is also used by the NHSx App to ensure encrypted authorisation and transmission of data.

A user’s device’s IP address is also captured by the NHSx App, for purposes such as load balancing and guarding against DDos types of cyber attacks. Organisational and technical measures are also implemented to segregate the IP addresses visible to the front end systems from the NHSx back end systems, to further protect privacy.

Centralised versus decentralised approach

There has been much debate about the centralised versus decentralised approach.

The NHSx App is using BLE to build a list of contacts which a user has encountered, by way of the Transmitted IDs mentioned above (the “Transmitted ID List”). This will therefore constitute ‘pseudonymised’ personal data in data protection legislation terms – ie that the personal data cannot be attributed to a particular individual, without the use of additional information which is kept separate, and which is subject to technical and organisational measures to keep it separate. This information is automatically deleted from the user’s phone after 28 days.

With the decentralised approach, the Transmitted ID List remains locally on a user’s device. Any matches of close proximity between an infected individual on the Transmitted ID List and the user of the device, are detected locally on the user’s device. With the centralised approach, such Transmitted ID List, as well as the other details which the NHSx App is collecting, are securely transmitted to the NHSx’s systems for matching and detection purposes, after a user uploads them; this will be after the user self-diagnoses that he or she is suffering from virus symptoms.

Although from a privacy perspective, having data locally on a device is more privacy positive, it does not mean that having a centralised approach cannot have appropriate privacy safeguards applied to it. In order to understand why a centralised approach has been advocated by NHSx, one has to understand the benefits of doing so.

Centralising the data allows a number of advantages, which the NHSx believes are unavailable with the decentralised approach, including the following:

  • Trend analysis: This is key in order to understand whether social distancing is working or not. It can also provide more up-to-date information in relation to the R-Number (namely, the effective reproduction number, which shows the average number of people that one individual will pass the virus on to). There are different models used to calculate the R-Number, with Public Health England’s model being based on the number of reported deaths. However, this is based on information which has been provided on the number of deaths within recent weeks, and therefore does not make available infection information in the more dynamic and up-to-date manner that the NHSx App can offer.
  • Local hospital support: This allows the ability for proactive resourcing of regional hospitals, in response to the above trend analysis, by using the partial postcode information which is voluntarily provided by users.
  • Guarding against false positives and malicious actors: At the moment, the NHSx App is reliant upon self-diagnosis and self-reporting of virus symptoms, for initial alerting purposes. This is due to the lack of large scale and timely virus testing being available. Consequently, there is a real risk of incorrect information being provided by users, which would generate ‘false positive’ alerts to users. The NHSx’s centralised approach allows risk modelling to mitigate against the associated risks, something which can only really be undertaken in a decentralised model by removing the self-diagnosis (ie by using definitive test results which have been provided in a timely manner), which is not currently possible.

It is also important to understand that there are numerous safeguards implemented within the NHSx centralised approach. The device identifier cryptographic information is stored on iPhones within the Secure Enclave Processor (which is a secure co-processor, that is isolated from the main processor to provide an extra layer of security; thus the cryptographic integrity of its operations is maintained even if other aspects of the phone are compromised) using Apple’s standard APIs. Android devices are not standardized, so such information is stored in hardware secure storage on the handsets, or using software measures where this is not possible due to the handset models. Data is also transmitted from the user’s device to NHSx systems in a batch encrypted process using Transport Layer Security (“TLS”) (the TLS protocol provides secure data transmission).

There is of course, always the risk of security breaches. However, this is no different to any other system in the world. It does not mean that systems should not be deployed, it just means that security measures need to be implemented and continually monitored and updated.

However, there are certain issues associated with a centralised approach, such as interoperability issues with apps of other countries which have taken a decentralised approach (such as with Ireland). Therefore, it remains to be seen as to whether the final NHSx App rollout will adopt a centralised or decentralised approach, as Matthew Gould, the CEO of NHSx, has acknowledged that it would be technically possible to move to developing a decentralised system in place of the existing centralised approach, if required; albeit, that this will then suffer from the associated deficiencies with the approach, which have been outlined above.

Do you really need to install the NHSx App?

People around the world are becoming frustrated with the lockdown measures which are severely constraining their day-to-day lives. In order to try to be liberated from lockdown restrictions, the government has stressed the importance of the R-Number remaining well below one, as a R-Number above one risks exponential contagion. The South Korean example cited at the outset, illustrates how a second exponential wave can potentially commence from the relaxing of lockdown measures, which can only be addressed through urgent contact tracing.

A report to the NHSx on effective configurations for a contact tracing app, show that the virus can be suppressed if at least 56% of the UK population use the NHSx App. This translates into approximately at least 80% of all UK smartphone users using the NHSx App (to take into account that not all of the UK population have a smartphone). The Isle of Wight beta testing of the NHSx App, is encouraging to show that by mid-May, 65% of all smartphone users who could download the NHSx App have already downloaded it. Consequently, huge public confidence is required in the NHSx App, which is why the government’s Joint Committee on Human Rights has called for independent oversight and additional legislative footing, as a pre-condition to the national rollout of the NHSx App. This will also help ensure compliance with Article 8 of the European Convention on Human Rights (‘Right to respect for private and family life’).

It is therefore, imperative that maximum uptake of the NHSx App occurs, to safeguard individuals, their loved ones and the NHS.

The Joint Committee on Human Rights’ Pre-conditions

As with any project, there are issues which arise from the initial design and testing phase. The Data Protection Impact Assessment (“DPIA”) which is required for projects such as the NHSx App, is useful to highlight risk areas and concerns, so that they can be addressed.

The DPIA produced by the NHSx, has shown that there are some areas which require further focus by the NHSx, from a data protection law alignment perspective (such as ensuring the deletion of data from back end systems (rather than just the NHSx App itself), when it is no longer required; ensuring that purpose limitation in respect of processing of personal data is maintained (to avoid ‘scope creep’); ensuring that the rights of data subjects can be properly exercised; and that there are clear privacy notices addressing the processing of personal data). Consequently, it is reassuring for the general public, that the government’s Joint Committee on Human Rights has stipulated, that, prior to the national roll-out of the NHSx App, the following conditions must be addressed in new legislation in respect of the NHSx App (a number of which are simply reinforcing specifics in respect of existing data protection legislation requirements):

  • Clear and limited purposes of the app for data processing, namely that it can only be used for preventing the spread of the virus and for no other purpose. Furthermore, the data may not be shared with third parties. This therefore, relates to purpose limitation under data protection laws.
  • The Transmitted ID List must not be uploaded from a user’s device to the NHSx’s systems until the user has confirmed a self-diagnosis of having virus symptoms, and has then chosen to upload such data. The Transmitted ID List must also be automatically deleted from the NHSx App every 28 days. This therefore, relates to data minimisation, as well as storage limitation under data protection laws.
  • Any data held centrally by the NHSx must be subject to the highest security protections and standards. This therefore, relates to integrity and confidentiality requirements under data protection laws.
  • There need to be limits as to who has access to the data and for what purposes, with appropriate security protections being required for any systems on which such data may be processed. This therefore, relates to purpose limitation, as well as integrity and confidentiality requirements under data protection laws.
  • Data held centrally may not be used for data reconstruction (ie any pseudonymisation of data cannot be circumvented to gain information about an individual). This therefore, relates to: the principles for lawfulness, fairness and transparency; integrity and confidentiality; purpose limitation; data minimisation; and storage limitation under data protection laws.
  • Data held centrally relating to a user, must be deleted following a request from that user. The data also may not be held for longer than is required, and in any event for no longer than 2 years. All data collected must be deleted once the public health emergency is over. This therefore, relates to storage limitation under data protection laws.
  • The Health Secretary must undertake a review and report to Parliament on the efficacy and privacy protections relating to the digital contact tracing system every 21 days.
  • Powers for a Digital Contact Tracing Human Rights Commissioner to ensure appropriate oversight on digital contact tracing, including to look into individuals’ complaints.

There is also a requirement for the NHSx App’s DPIA to be made public and updated as digital contact tracing progresses. This will assist with transparency and accountability, with regard to processing of personal data.

The above should therefore, alleviate some of the concerns about the forthcoming national roll-out of the NHSx App, and help the UK in its objective to overcome the virus and its adverse effects, as soon as possible.