As we have previously reported, NHSX, the innovation arm of the NHS, has been working on a Bluetooth-based contact tracing app to help slow the spread of the coronavirus. The app called NHS COVID-19 has been launched this week for a trial at the Isle of Wight and is currently only available to NHS and council workers at the island. The app has been designed and built by the NHS and forms part of the UK Government's "test, track and trace" strategy.
How does the NHS COVID-19 app work?
Installation of the app is voluntary but users who install the app will receive an alert if they have been in close contact with other users of the app who have reported that they were experiencing coronavirus symptoms. The hope is that people who receive such notification will take steps to avoid passing the virus on (e.g. by self-isolating).
When a user installs the app on their smartphone, the app uses Bluetooth technology to detect other phones in close proximity that are also running the app. The app monitors for how long the user's phone has been close to other phones running the app and, based on the strength of the Bluetooth signal, the app can also determine how close the phones have been to one another.
Users can decide to report on the app that they are experiencing COVID-19 symptoms. If the app determines that the symptoms indicate that the user might have coronavirus, the user will be asked if they want to send the details of the phone encounters that the app has collected to a central NHS database.
The central database uses a clinical algorithm to assess the uploaded data of phone encounters and the risk posed by each interaction. Other users who have had a high-risk interaction with the unwell user will be sent a notification via the app with targeted NHS advice but will not receive information about who the user with reported symptoms is.
If the NHS later discovers that the user's diagnosis was wrong and the reported symptoms were not coronavirus (e.g. through a COVID-19 test), the other users will be sent another notification letting them know if they can stop self-isolating.
The statement from the UK's National Cyber Security Centre (the "NCSC") announcing the launch of the NHS COVID-19 app stated that the app does not collect any of "your personal data". It explained that the app collects the following information:
- the first part of user's postcode – so that the NHS can plan local response;
- the user's phone make and model – to accurately measure the distance between the phones of users who have installed the app; and
- the user's installation ID – assigned randomly by the NHS to identify the user's phone.
The NCSC said that users will not be "at this stage" asked for other information such as their name or email and that "it's not possible to link the installation ID to you as an individual" so the information collected would not be considered personal data within the meaning of the General Data Protection Regulation (the "GDPR").
For added security, the app creates a different daily ID for each user to keep the installation ID private from other users that the app interacts with.
According to the statement, the app exchanges the following information during an encounter with other users who have the same app installed:
- the other app's daily ID;
- the date of the encounter;
- the Bluetooth signal strength and power (used to estimate the distance between phones); and
- the length of time the phones were in contact.
If the user reports they are experiencing symptoms and decides to upload the details of their phone's encounters to the centralised database, the NHS will be able to decrypt the daily IDs from the uploaded details to find the installation ID of any apps that need to be notified about possible exposure to coronavirus.
Contact tracing apps, such as NHS COVID-19, come with important data protection considerations. The use of data to combat the COVID-19 pandemic has been a hot topic and both the European Data Protection Board (the "EDPB") and the UK's Information Commissioner's Office (the "ICO") have issued guidelines on contact tracing technology. Both data protection regulators seem to favour a decentralised model for contract tracing apps where the users' encounters data is not stored in a central database but only on users' devices. It has been reported that the decentralised model has been favoured by countries such as Germany, Switzerland, Austria, Italy and Estonia. Conversely, the UK, France, Norway, Singapore and Australia have all adopted a centralised model.
In the UK, the NHS COVID-19 app relies on a central database, designed in collaboration with the NCSC, which will collect data from users who have reported symptoms and who agreed to share the details of their encounters with the NHS. On one hand, this gives NHS the visibility as to the number of reported symptoms in an postcode area to help NHS plan local resources and learn more about the spread of the coronavirus. On the other hand, a centralised database can be a more lucrative target for hackers and users who do not feel comfortable sharing their data with the government might be less likely to use the app. This is an important consideration because as the Ada Lovelace Institute has pointed out, effective deployment of contact tracing technology will be contingent on public trust and confidence in the technological solution adopted.
Another important consideration in the centralised model is its technological limitation. The Bluetooth technology on iOS and Android devices cannot broadcast its signal for a longer period of time if the contact tracing app is running in the background (e.g. if the user locks the device or is using a different app). This technological limitation has been introduced before the COVID-19 pandemic to protect the privacy of mobile device users and means that the NHS COVID-19 app will be able to broadcast the app's daily ID only for a limited amount of time, likely decreasing the effectiveness of contact tracing apps.
Apple and Google have announced a joint effort to build an API that would allow contact tracing apps that meet specific criteria to broadcast Bluetooth signal even if the app is in the background. However, it has been reported that the API will be available only for contact tracing apps that have adopted the decentralised model and meet other specific criteria around privacy, security, and data control.
Purpose limitation, data sharing and data retention
It is also currently not clear how the NHS COVID-19 app will deal with issues like purpose limitation (e.g. what will NHS and third parties be able to use the data for?), data sharing (e.g. will the data be shared with any third parties?) and data retention (e.g. how long will the data be kept in the centralised database for?), and how the data on the centralised database will link with the data collected by the app about the user's symptoms.
Some of these concerns were also raised by the UK Parliament's Joint Committee on Human Rights in its report on 7 May. The Committee has asked the UK Government to introduce primary legislation to offer appropriate data and human rights protections for data collected via the app, introduce regular reviews and independent oversight, and prevent "mission creep".
We have previously suggested that contact tracing apps are not a silver bullet that will end the COVID-19 pandemic but can be a useful tool to help manage lifting lockdown restrictions, especially if they gain people's trust and are widely adopted by the population.
Apart from the privacy and technological consideration discussed above, the success of the NHS COVID-19 app will also depend on the quality of data such ensuring the accuracy of the self-reporting mechanism, e.g. by making tests COVID-19 tests available to users who have reported that they have been experiencing symptoms.