Contact tracing – Covid-19 and data protection concerns


Among the measures being considered to ease the UK out of lockdown, app-based contact tracing is taking centre stage.  We take a look at the pressing concerns about data protection and privacy that this raises, and consider how app-based contact tracing could and should be able to operate within the confines of data protection law.

NHSX, the UK health service's digital innovation arm, is said to be in the testing phase of its contact tracing app for COVID-19.  We understand that the app, once installed on a smartphone, will use low-energy Bluetooth beacons to log a memory of other app users with whom they have come in close proximity (the “contacts”).  Where an individual logs a positive test result in the app, their past contacts would be alerted anonymously and advised to self-isolate.
Why move to app-based contact tracing?
App-based contact tracing marks a significant step-up from the solely manual contact tracing used in the early phase of the COVID-19 outbreak.  Manual contact tracing is a well-established method for monitoring and combatting a disease outbreak and involves public health officials interviewing a person who tests positive so as to identify and reach out to those with whom the infected person has been in contact.  However, with an estimated 50% of COVID-19 transmissions occurring before an infected person develops systems, a new and quicker way to inform people that they are at risk and should self-isolate is required.
A contact tracing app would complement manual contact tracing in slowing the transmission of Covid-19 by:
  • Reducing the length of time for a contact to be traced from 72 hours to around 4 hours
  • Scaling-up the number of traceable contacts
  • Freeing-up resources that would otherwise be used in manually following-up contacts

What is needed to make app-based contact tracing effective?
The success of an app-based strategy to tackle COVID-19 transmission would require significant public buy-in.  It is estimated that around 60% of the population would need to download and use the contact-tracing app – this equates to 80% of all smartphone users in the UK – to be successful.  Polling has suggested that almost two-thirds in the UK favour the use of smartphones for tracking and contact tracing purposes. Notwithstanding, many individuals have concerns about the idea of being tracked in any way by the government, particularly in a world that is fast becoming privacy focused. It is suggested that some 20% of smartphone users have concerns about the privacy aspects of the app. However, it is thought that even where a smaller proportion of the population uses the app, this would have a positive impact on slowing the transmission of COVID-19. 
A contact tracing app, if used on as large a scale as is anticipated, would be a conduit for a vast amount of personal data.  This will include special category health data, and in some cases, location data.  Therefore, it is vital that app users have confidence that their personal data will be securely and properly handled, and that key privacy concerns are addressed.
Key privacy concerns are likely to include:
  • What data would be collected?
  • What control will individuals be offered over the use of their data?
  • How will data be securely stored?
  • Who will see or have access to the data?
  • What oversight will there be to ensure transparency, governance and accountability?
  • When will the data be deleted?

What measures are being taken to protect privacy?
Apple and Google have joined forces to produce a framework upon which public health authority contact tracing apps can be built.  Recognising concerns about privacy, the tech giants are emphasising:
  • User choice as to what data is shared (including any Covid-19 diagnosis)
  • Freedom to turn off and/or uninstall the technology at any time
  • No collection of location data
  • No user IDs being shared with other users, Apple or Google
  • The “memory” of nearby app users taking the form of code that changes regularly, to help prevent tracking
  • Apple and Google being able to disable exposure notifications on a regional basis, when no longer required
The Information Commissioner's Office (ICO) has published its opinion on the Apple-Google framework, noting that it is aligned with the fundamental principles of "data protection by design and by default".  The ICO has also stressed that those who use the framework to develop contact tracing apps must still ensure compliance with data protection law.  In particular, where an app collects data over and above what is proposed by the framework.
A recent blog by Elizabeth Denham, Information Commissioner, has reiterated the importance of data protection by design and that developers will need to ensure they have in place:
  • An initial privacy impact assessment, to be developed over time
  • Plans to collect only a proportionate amount of data
  • Clear information for users: how is information used and how can they opt-out?
  • Decentralised systems, avoiding transfers of information where possible
  • Plans when data collection will end and what will happen to the data already collected. 
The ICO's role in engaging with such fundamental issues and providing its views on the lawfulness of any proposal demonstrates the importance of the regulator, and of data privacy concerns more widely, in managing the current healthcare crisis. 
What are the next steps being taken?
It is estimated that the first apps using the Apple and Google framework will be available within weeks.  However, France and Germany are pursuing app designs of their own.  The UK’s NHSX also considers that its app will be ready over the next few weeks but has now confirmed that its contact tracing app will not use the Apple-Google framework. Instead it has developed an app where contact matching is undertaken through a centralised server rather than, as Apple and Google have favoured, locally on each handset. There are also plans for individuals to "opt in" to the app registering location information in some circumstances. Whilst there are natural privacy concerns arising from a centralised system logging this kind of data, and how that might be managed securely both now and after the pandemic has passed, NHSX considers that this model is the most effective in tracking of the effectiveness of the app in managing a return to a "new normal".  The ICO has stated that it has been working closely with NHSX to ensure high levels of transparency and governance – it will continue to offer support as the NHSX app is developed, rolled out and subsequently retired.
Regardless of the underlying framework and app developer, the rules on data protection currently apply broadly equally in the UK and across the EU – therefore, the approach to privacy should be the same. As promised in its Recommendation of 8 April 2020, the EU Commission has now produced a Common EU Toolbox for contact tracing apps and associated Guidance.  The central pillars of the EU-approach to contact tracing is that it is:
  • Voluntary
  • Approved by the national health authority
  • Privacy-preserving
  • Dismantled as soon as it is not needed
How does this differ from approaches elsewhere in the world?
Elsewhere in the world, contact tracing involves smartphone location data.  This raises concerns about Covid-19 sufferers being identified from the data collected, potential stigmatisation and a consequent trend to under-report symptoms.
However, there has been strong uptake of apps in South Korea, where contract tracing involves location data being used in conjunction with surveillance camera footage and records of credit card transactions.  In China, firms with expertise in facial recognition technology are deploying contactless temperature detection – an individual not wearing a face mask can be identified with 99.9% accuracy and their temperature determined within a 0.3 C range.  Both South Korea and China appear to have succeeded in flattening the Covid-19 curve.
A less intrusive contact tracing app was launched by the Singaporean government in March, using only Bluetooth and not location data.  While the app has had only limited uptake (less than 17% of the population since its launch in March), Singapore initially appeared to be successful in combating the disease.
It will be important to see the final forms of contact tracing app deployed in the UK and in territories across Europe before assessing whether any privacy concerns are well founded.  There are inevitably tensions to be worked through as regulators, governments and public health authorities the world over consider how to act swiftly and effectively against the virus, whilst respecting individuals' privacy and data rights.  Whilst the available EU guidance would suggest that the various apps may end up being quite similar, at present only the UK and France appear to be favouring the centralised system for matching contacts. Only time will tell which approach best balances the overriding public interest in tackling the pandemic effectively and efficiently, and the protection of privacy and data rights.  
Whatever the future holds, app-based contact tracing is emerging as a necessary step in order to find a way out of lockdown and data protection considerations are fundamental to making it work. The ICO's engagement with these difficult issues demonstrates how important its role is considered to be, both in the public and private sectors.  In stressing the importance of "data protection by design", and encouraging the development of new technologies, the ICO is very ably demonstrating that data protection does not need to stifle innovation. 

About us
If you have any queries on data protection and contact tracing, please contact the relevant member of our Data Privacy Group.

Trowers & Hamlins has a data privacy team that brings together individuals from across the firm who specialise in data issues as part of their wider area of expertise (be it in commercial/ transactional, employment, dispute resolution or pensions matters). This is because we believe that data protection advice must be given in the relevant context of those other skills by identifying and applying the relevant principles from the data protection legislation to the matter in hand. This enables our team to provide meaningful and practical insight tailored, with a depth of understanding of the challenges our clients face.



Covid-19 Inquiry – 3 new investigations announced


Ali v Chief Constable of Bedfordshire Police – how to incorporate privacy requirements into safeguarding referrals


Webinar – Clause and Effect: a Litigator's Guide to Commercial Contracts


Cyber Security Breaches 2023


Bahrain: Amendments to the Crypto-assets rules


The MaaS movement and fraud