The Information Commissioner’s Office has told NHSX to ensure its soon-to-launch coronavirus contact-tracing app gathers as little personal data as is needed for its purposes, and stores information for no longer than is necessary.
The app this week began a testing phase in the Isle of Wight, where health service and local authority staff are now able to download it. From today, all residents of the island will be able to do so.
Shortly before the pilot began, the ICO issued NHSX with a 10-point guidance document to outlining the principles it believed should “guide the development of your contact-tracing app” and its ongoing approach to the collection and processing of personal data.
The first three points all relate to transparency, with the ICO asking that the app’s developers are completely open about the program’s purpose, design choices, and benefits.
If there is some degree of “tension” regarding the benefits that may be achieved by different parties, NHSX is encouraged to “be clear on how you have managed these in the data-protection context”.
The ICO added: “Explain if the purpose is only proximity notification or if the purpose is broader, or is likely to expand in accordance with any development roadmap. Explain any additional purposes clearly and make sure you assess the necessity and proportionality of the processing the app undertakes.”
The fourth principle is that the technology should “collect the minimum amount of personal data necessary”, while the seventh stipulates that data should be kept “for the minimum amount of time, and, where appropriate… the user [should have] control over this”.
Developers should start from a position of trying to create an app that could work without gathering or storing any data that could identify individual devices or users, and rely solely on the device’s location data.
“Begin by considering whether you can generate and match identifiers on-device,” the ICO said.
“Where this approach is available, feasible, and enables you to achieve your purposes, then you should use it. If you decide to use an alternative approach, you must be able to explain why it is necessary to do so, as well as the steps you will take to ensure you will not introduce unnecessary risks to the user.”
The regulator added: “Store data for the minimum amount of time necessary for your purposes. Explain what that period will be and why. Avoid gathering, augmenting or correlating user data without express permission.”
The fifth and sixth principles are to “protect users” via the use of “pseudonymous identifiers”, and to give them control through over how their data is used, by implementing a “privacy dashboard”.
The eighth point on the ICO’s checklist is to “securely process the data” via the use of cryptography and other security technologies and techniques.
Opt in and opt out
The ninth principle requires that users of the app “can opt in or opt out without any negative consequences”.
“App use – from installation to sharing of information – should be voluntary, with no negative consequences for individuals if they do not take action,” the document said. “Functions should be de-coupled to allow the user to benefit from one function without being compelled to provide data for other functions.”
The final data-protection request is that developers should only strengthen privacy, and not do anything to weaken it.
The ICO said: “Ensure the design of the app does not introduce additional privacy and security risks for the user – for example requiring the phone to be unlocked.”
It added: “The ICO will keep these recommendations under review, taking into account how the Covid-19 pandemic develops and the particular proposals under development to respond to the crisis. The ICO is open to any conversation regarding these recommendations in order to help technical teams build data protection by design and default into their service, because this is the best way to promote trust and confidence in any solution.”
"App use – from installation to sharing of information – should be voluntary, with no negative consequences for individuals if they do not take action"
Once someone has downloaded the app, they are encouraged to report any symptoms of coronavirus they subsequently suffer.
“The app… will [then] detect any other app users that the person has been in significant contact with over the past few days, including unknown contacts such as someone they may have sat next to on public transport,” the government said. “The app will be able to anonymously alert these contacts and provide advice, including how to get a test to confirm whether or not they do have Covid-19. Users will be able order tests through the app shortly.”
Those unable to access the app will be offered means to report symptoms and contacts online or via a telephone interview. This work will be supported by the deployment by Public Health England of 18,000 dedicated staff.
Health and social care secretary Matt Hancock said: “The app will help control the spread of coronavirus by alerting people they may have come into contact with it and recommending appropriate action. This groundbreaking technology, combined with our heroic frontline health and social care staff, and both a nationwide contact tracing testing programme will ensure that we remain in the best position to move toward easing the lockdown.”
However, there has been speculation about the functionality of the app will work, as both Apple and Google have backed the development of decentrlaised platforms for iPhones and Android phones that warn users if they have been near an infected person, but do not create a central database of information.
Apple and Google created the local system in order to protect privacy. The NHS system will create a centralised database of anonymised users to match them up, while the Apple and Google backed system will do the matching on users phones rather than a central system.
It has also been reported that the NHS system may also not be able to use a phone’s Bluetooth connection unless it is running on user’s screens. However, the NHS has said it has been able to work around the restrictions that usually mean apps cannot use phone’s Bluetooth while running in the background.