The COVID-19 Tracking App and Data Risks

The Coronavirus Tracking App technology has a vital part to play in reducing the spread of the virus, thus allowing businesses and schools to open and permitting a return to what has been christened ‘the new normal’.

The mobile COVID-19 phone tracker app has undergone trials on the Isle of Wight as part of the Government’s exit strategy for the lockdown. The idea is that mobile phones exchange encrypted digital identifiers via Bluetooth when they are in proximity to each other for sustained periods of time.

If a user subsequently tests positive for COVID-19, other phone users that had connected to the infected person’s phone are notified and told to apply to be tested and to self-isolate. This is known as the so-called ‘test, track, trace and isolate’ (TTTI) policy.

As it is due to be rolled out across the UK, it is hoped that as long as more than 50% of the population downloads the app, it will speed up the country coming out of lockdown while continuing to suppress the virus, keeping the ‘R’ number (the average number of secondary infections produced by 1 infected person) below one.

One thing that could prevent the required uptake and use of the app is the issue of people’s privacy as a result of the app’s centralised approach, which collects and stores personal data and uses it to map the spread of - and contain - the virus. The Government argues that this could provide it with valuable data about the spread of the disease and allow it to provide more nuanced messaging to users on what actions they should take.

The centralised approach has, however, raised many questions about data privacy. Although the NHS insists that everything will be transparent and that no data will be personally identifiable, it envisages future iterations of the app could collect additional data, such as locations, as well as it being able to include additional functionality without people’s consent or their knowledge.

Questions are also being raised about what happens to people’s data uploaded to the central server, which at the end of the crisis will still be available to NHS Digital, such as for sale to commercial organisations and foreign countries for medical research, which is permitted under a GDPR ‘Research Exemption’. The NHS argues, however, that people have to balance their data being collected and used for these other purposes against the benefits they receive in relation to COVID-19.

Other reported issues with the app include phone efficiency which early reports say can be significantly reduced due to issues in identifiers being picked up and with the operation of the app generally. Reliance on Bluetooth is also already raising security issues with reports that phishing emails and SMS messages could increase significantly as a result of Bluetooth being on and receiving data from other transmitters.

It is hoped that the Government will shortly be required to publish its Data Protection Impact Assessment (DPIA) required by the GDPR, together with reports on relevant technical information that will let experts comment on privacy and other issues. It can only be hoped therefore, that this information creates sufficient confidence in the app that people will be happy to download and use it.

rradarstation

Looking for more advice or guidance on this matter, or any other business-related issue?

rradarstation gives you 24/7 access to guidance, videos and on demand webinars answering frequent questions and downloadable templates to use in the day-to-day running of your business, each written and verified by our legal professionals. You will find the answers you are looking for at rradarstation.