NHS Covid-19 app update is blocked by Apple and Google

If we have worked together on data protection, you will have heard me mention the idea of data protection by design and by default. It’s enshrined in UK GDPR, and it essentially means that you consider data protection at the very start of every (IT) project, and all the way through, rather than leaving it as an afterthought when the designs are too costly to change.

We saw an example of how things can go wrong this week, as the BBC tech pages reported. The latest update of the NHS COVID-19 app was blocked by Apple and Google, for breaking the agreed rules on data sharing. The app had planned to ask users for their consent to upload logs of check-ins at venues, where we scan the QR code, in the event they tested positive. This information could then have been used to warn others that they should take a test. However, this broke the terms of the agreements which said that location data could not be collected by the software.

This does raise a few questions:

  • Could the UK have not used the same approach as in Scotland, where a separate app tracks venue check-ins?
  • Why did the UK app developers think this would be OK despite having signed the agreement with Apple and Google which clearly said it was not?
  • If this could be a benefit, is it right that tech companies can put constraints on the UK’s public health response to COVID?
  • Why didn’t the app developers adopt the approach of data protection by design and by default in the beginning, which would have prevented these problems?

I often talk about the balance between convenience and privacy, but perhaps public health should sometimes take precedence?