Don't stand so close to me...the new NHS App and the law

Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing

(7 May 2020) is the report of the parliamentary Joint Committee on Human Rights on the proposed NHS contact app. The report and the evidence given to the Committee, shines a light on the human rights issues and serious privacy concerns which are raised by the initiative.

The Committee explained the app as follows:-

Digital contact tracing generally works by an app on a user’s smartphone registering and storing details of another smartphone when it is within a defined distance for a certain period of time and if a user tests positive for (or is suspected of having) the virus, the app notifies these contacts that they may themselves be affected.

Over a period of days the committee of MPs and members of the House of Lords heard evidence from the NHS, academic lawyers and experts, and the Information Commissioner about the app, how it would work, the privacy concerns, what the information would be used for, and who would be responsible for the independent oversight of the new procedures.

Although the Committee heard evidence from the Information Commissioner to the effect that her office had been working closely with the NHS to ensure that privacy and human rights concerns are addressed in relation to the information generated by the app,  the big takeaway from the Report is that the Committee is a demand for far stricter safeguards before the app is launched.

First of all, it is important to note that the Committee was not convinced about the efficacy and the benefits of the app as currently described to it.  This coloured many of its comments on data protection and human rights – if the app does not work well then the collection of data is more likely not to be proportionate or necessary, important touchstones for the retention of personal information for both the Data Protection Act 2018 (DPA) and Article 8 of the European Convention on Human Rights.

Second, the Committee was also concerned that the NHS was pursuing a centralised app, rather than taking a decentralised approached as other countries have done. It described the UK as an ‘outlier’ in this regard, noting that storage of data was less secure on a centralised server.

Third, the Committee considered the information to be retained and the use to which it would be put.  It was concerned that, although the information will be anonymous, it will include things like the first half of a person’s postcode, which might enable a person’s identity to be discovered when matched up with other although information. The NHS confirmed that the information would be retained only for ‘research in the public interest or for use by the NHS for planning and delivering services’,  but it appeared that there would be few other limits on when and for what purposes the information would be used.

These factors led the Committee to demand that primary legislation be passed (as it has in other countries such as Australia) to provide guaranteed data and human rights protections in relation to the data collected.  It rejected the view put forward by the Information Commissioner in evidence that the DPA already contained sufficient safeguards, and noted the speed with which the coronavirus legislation had been passed by Parliament. The Committee explained:-

State-controlled apps that enable the mass surveillance of personal data, and that could then enable the (proportionate or otherwise) violation of fundamental rights are novel. The introduction of such an app is an innovative apparatus of state interaction with its citizens. The implications of such an app are so widespread, significant, and, as yet, subject to limited public examination, that they should be subject to the in-depth scrutiny of Parliament at the earliest opportunity.

Likewise, although the Information Commissioner explained her role as the appropriate watchdog and overseer of the data concerns about the app, the Committee did not think this was sufficient, and its questioning revealed concerns about the Information Commissioner’s role in advising the NHS during the development of the app. Instead, the Committee wants to see a Digital Contact Tracing Human Rights Commissioner responsible for oversight, dealing with complaints, and reporting to Parliament.

The Report has been issued at a time when the NHS has still to produce a Data Protection Impact Assessment in relation to the app. This is the process by which the NHS will formally explain its view as to whether the app complies with the DPA and the protections on personal information in particular.  The Report from the Committee suggests that the NHS will struggle to produce a convincing impact assessment, and if it proceeds then to introduce the app without primary legislation it faces the risk of legal challenge based on the human rights and privacy points raised by the Committee.