Our Latest

The Government has been racing to find ways to ease the lockdown restrictions, as the UK has been in lockdown since the end of March.

One way is the launch of the contact tracing application, which is designed to let people know if they have been in close contact with someone who has tested positive for Covid-19. 

This application is currently being tested in the Isle of Wight and went live on the island at the beginning of May.

The application is downloaded to a user’s phone and keeps a trace of others who have been in close proximity with that individual, which is done via Bluetooth signals that transmit anonymous ID. These Bluetooth signals then perform a digital “handshake” when two users come into contact with each other, keeping their data anonymous.

If a user then later reports that they have tested positive for Covid-19, a message will be sent from the application to other users who have been in close contact with them during the last 28 days (possibly including how close they were, and for how long). This message will warn the user who has come into contact with the person who has tested positive to self-isolate.

The ICO has stated in its recent guidance in relation to the application, that any additional functions, such as recording/communicating location in which contact has taken place, or collection of additional data to support other functions, is considered beyond the core functionality needed for contact tracing.

With this application relying on users inputting their personal data and voluntarily opting in to record details of their symptoms in the event they feel unwell, what privacy issues does this create for the public?

A number of concerns have been raised by privacy experts, such as:

1. Patient confidentiality being compromised.
2. The application collecting location information.
3. The Government holding onto the personal data for longer than necessary.

The ICO have now published core principles and best practice for contact tracing application development, which include the following:

1. Be transparent about the purpose.
2. Be transparent about your design choices.
3. Be transparent about the benefits.
4. Collect the minimum amount of personal data necessary.
5. Protect your users.
6. Give users control.
7. Keep data for the minimum amount of time, and, where appropriate, ensure the user has control over this.
8. Securely process the data.
9. Ensure the user can opt in or opt out without any negative consequences.
10. Strengthen privacy, don’t weaken it.

NHSX, who are currently working to develop the application, have stressed that it has been built with privacy in mind, and that the application will not request any personal data, only the first three digits of the user’s postcode. It has also been stressed that the application is completely voluntary and requires consent at various different stages. 

It would appear as through the application is still early in its development stages. Clearly NHSX must weigh up public health against safeguarding personal data. Watch this space.

For advice or assistance with data protection issues in your business, please contact Charlotte Higgins on 0114 249 5969.