Parliament must legislate on the government’s plans for contact tracing apps

4th May 2020

On 4 May the Joint Committee on Human Rights took evidence from the Information Commissioner, academics and the CEO of NHSX on the risks to the right to privacy (Article 8 ECHR) if a contact tracing app is introduced to track and slow the spread of the coronavirus. This is helpful scrutiny of the government's plans. Yet if the government goes ahead with its proposed contact-tracing application it is essential that the processing of large amounts of personal data by the state, even if done in the public interest, needs a clear legal basis in the form of specific legislation.

How do the UK's plans for contact tracing apps in response to the coronavirus pandemic compare to those in other countries? Are we on course to safeguard the Rule of Law and what can we learn from debates elsewhere? Last week French parliamentarians decided to postpone debate on their contact tracing app: StopCovid , which will be subject to a dedicated vote by senators and MPs once it is ready. This follows heated debate within and between European countries about the preferred privacy-protecting type of technology necessary to trace coronavirus infections; and significant public hostility to contact tracing in France; based on concerns about their utility, and security of the app.

In the UK, the race is on for the NHS to deliver its contact-tracing app CV19 within weeks. Although individual use of the app will be voluntary, the UK parliament should follow France and legislate on how the app will be allowed to operate. To uphold the Rule of Law, legislation is necessary to ensure that there is a clear lawful basis for processing for such potentially intrusive data collection and use, including explaining why processing is necessary, and including detailed procedural safeguards against abuse or misuse.

Legislation governing the app is essential, this would follow the UK's peers at national level and also the activity of regional bodies. The European Commission has already published draft rules on the development of contact-tracing apps in the context of COVID-19. In Australia a ministerial determination is the legal instrument that temporarily underpins the use of the app until legislation can be passed through a reconvened Parliament in early May. It has been described by law firm Gilbert and Tobin as "sparse but seems clear-cut in its protections" .

First, it is essential that Parliament debates whether this method, which is reliant on a huge amount of sensitive data, is necessary and proportionate even in the current crisis. Second, parliamentarians need to confront issues around the safeguarding of personal data, oversight of the app, and deletion of the app and the collected data once it is no longer epidemiologically useful. The need for debate is particularly acute in light of the NHS's confirmation that the system will be centralised, rather than decentralised as recommended by privacy experts .

Contact tracing is a fundamental mechanism of outbreak control, a tool used by public health professionals to identify all people who have had close contact with a person who has tested positive for COVID-19. Contact tracing apps go beyond telephone-based contact tracing (for which the UK government is currently recruiting ) and enable rapid symptom reporting by individuals on their mobile phones. Bluetooth is used to log the distance between phones and other phones nearby; this log is stored on the phone to enable users of the app to be alerted if they have come into 'significant contact' with a person who has tested positive.

The government still has to pass through a number of stages before CV19 can be delivered. But despite the government's commitment to "transparency, ethics and the law " and important consultation with the Information Commissioner , a full parliamentary debate is not yet considered as one of these stages. Led by Professor Lilian Edwards, a group of academics in the UK have already published a draft Bill , showing what legislation that puts in place "safeguards in relation to the symptom tracking and contact tracing apps that are currently being rolled out in the UK" could look like.

The UK government should adopt a variant of this Bill, particularly in light of the extensive concerns raised during the oral evidence given to the Science and Technology Committee in a session on 28 April 2020. These include risk of, in the words of Professor Edwards, a "mass land grab in extensive state surveillance". The importance of caution and debate is amplified by the shadows cast over the accuracy of such an app as we are still, according to Professor Danny Altmann's evidence in the same session, "flying blind" in understanding exactly who transmits COVID-19, and how it is transmitted.

There are a range of important issues which need to be considered in parliamentary debates, including:

Justification of the UK's selection of a 'centralised' approach, and the consequences for iOS users given Apple's refusal to support centralised systems
How to ensure the app uses the minimum amount of data necessary to fulfil its function: preventing the spread of COVID-19;
How to protect anonymity, including preventing re-identification of users from anonymised data;
Open-source publication of the protocol;
Who will be able to access the data, both within government and relating to third parties;
Protections around data storage, sharing, and deletion

;This piece has been cross-posted with the permission of the UK Constitutional Law Association blog

External Link COVID-19

We use cookies to give you the best online experience. Please let us know if you agree to all of these cookies

What are cookies?

Cookies are small pieces of information that are stored on your computer to allow the British Institute of International and Comparative Law to recognise it when you visit our site. They can remember your preferences by gathering and storing information. They do not identify you as an individual user, just the computer used. Cookies cannot be used to run programs or compromise your security. Cookies do not give the British Institute of International and Comparative Law access to your computer.

What types of essential cookies does BIICL use?

We may use cookies to store information about your membership on our site, or to enable you to log in to online resources. This might include registering for our events, making online purchases or accessing member-only content. The information is stored, as cookies, to enable you to use these resources, and to remember your log in details between sessions. If you clear your cookies, you may need to login to these parts of the website each time you visit.

We also use some third party cookies to help us improve your user experience.

If you don't want to use third party cookies.

If you would prefer not to use third party cookies while browsing our site, you can set your browser so that it will not download cookies onto your computer. Doing so will still allow you to navigate through the majority of our site but possibly not all of it. If you wish to access the password protected areas of our website you will need to allow "per-session" cookies. These are temporarily used while you are visiting the site but deleted when you close your browser or log out.

Yes, I agree.

No, take me to settings

Parliament must legislate on the government’s plans for contact tracing apps

Related Publications

COVID-19 - Test for the World’s Legal Systems

Protests During Lockdown (England): A Rule of Law Analysis

Related News

Publication: Protection and Post-Pandemic Recovery for Vulnerable Groups: European and Asian Approac

New projects announced to address COVID-19 challenges