NHS Contact Tracing
NHSX revealed earlier this month the launch of the NHS contact tracing application which could aid in the fight against the spread of COVID-19 and potentially help in deciding the timing for easing the lockdown restrictions. Once installed, the app begins to keep a log of phones which have come within a certain distance of each other. The log is stored on the phone and once an individual becomes unwell with the symptoms, they can choose to inform NHS through the app. Once informed, the app triggers an anonymous alert to the other app users who came into contact with that infected person over the previous days.
The app uses a centralised model whereby the tracing process takes place on an external server. Apple and Google proposed a decentralised model whereby the exchange of tracing data would take place on handsets as they said it made it harder for hackers or authorities to track and identify individuals. NHSX has since rejected Apple and Google’s model.
NHSX states that privacy is crucial to the NHS and the app will always be compliant with the Data Protection Act. However, privacy lawyers and experts have expressed concern that this may become an area for claims for data breach protection. Pivotal for the app to work is the collection of a vast amount of private information regarding people’s health and the surveillance of individuals and their social interactions. If this information is mishandled, for instance in the form of leaks, hackers or general misuse of private information, there may occur a breach of the DPA.
Data protection solicitors have also highlighted the possibility of the collected data being used for other purposes than originally intended for when the pandemic slows down. Apps often bring out updates which slightly alter the terms and conditions without flagging up the small-print to the user. It is therefore possible that the user agrees further data collection without thoroughly understanding the implications to the invasion of the privacy.
Compliance with the Data Protection Act 2018
The DPA exists to protect people’s privacy and personal data, which includes any information which relates to an identifiable individual. The DPA is based on eight principles which guide ‘good information handling’. In order for any app to comply with the DPA, personal information must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept longer than necessary
- Processed in accordance with the data subject’s rights
- Held securely
- Not transferred to countries outside the European Union without adequate protection
Under the Act, individuals have the right of access, whereby they can ask the data controller to confirm whether their personal information is being processed and if so, to receive a copy of the personal information. Individuals can also rectify information where it is incorrect and request that information is erased. The right to erasure, also known as the right to be forgotten, and the right to object to processing are of particular importance in the context of the NHS contact tracing app.
There are a large variety of remedies and compensation available for victims of data protection breaches. Privacy lawyers can help individuals bring a claim for data breach protection where their rights under the DPA have been breached.