NHS contact-tracing app may fall short of data protection law

Delays to the current NHS contact-tracing app indicate that it may be redesigned, but a lecturer in digital rights at University College, London has assessed the current app and has found that it falls short of data protection law on anonymity and access to data.

Michael Veale, in an article for Digital Health, identified 2 key issues:

NHSX claim that personal data is anonymised but that is not the case. The app processes pseudonymous and not anonymous data (it has to for the centralised approach to work) and therefore the data in the NHSX app is ‘capable’ of revealing an individual’s identity. NHSX may not currently plan to do so, but it could and that’s what matters. A third party might upload data about you without your consent, for example if you may have been in close contact in a cafe, and since it’s not truly anonymised and hence is classified as personal data. In the NHSX app DPIA, they admit this.

Based on the Isle of Wight version of the app, it also seems that data subjects will find it almost impossible to exercise their rights to erasure or access. Again, the DPIA says that data subjects may be able to access their information, but that ‘the technical practicability needs to be assessed’. Again, these rights are enshrined in law and must be available, whether ‘technically practicable’ or not.

Let’s hope that when the final version of the app is available, they have sorted these things out.  However, it doesn’t instil much confidence that ‘data protection by design and by default’ has been a priority.