On 4 May the Joint Committee on Human Rights took evidence from the Information Commissioner, academics and the CEO of NHSX on the risks to the right to privacy (Article 8 ECHR) if a contact tracing app is introduced to track and slow the spread of the coronavirus. This is helpful scrutiny of the government's plans. Yet if the government goes ahead with its proposed contact-tracing application it is essential that the processing of large amounts of personal data by the state, even if done in the public interest, needs a clear legal basis in the form of specific legislation.
How do the UK's plans for contact tracing apps in response to the coronavirus pandemic compare to those in other countries? Are we on course to safeguard the Rule of Law and what can we learn from debates elsewhere? Last week French parliamentarians decided to postpone debate on their contact tracing app: StopCovid , which will be subject to a dedicated vote by senators and MPs once it is ready. This follows heated debate within and between European countries about the preferred privacy-protecting type of technology necessary to trace coronavirus infections; and significant public hostility to contact tracing in France; based on concerns about their utility, and security of the app.
In the UK, the race is on for the NHS to deliver its contact-tracing app CV19 within weeks. Although individual use of the app will be voluntary, the UK parliament should follow France and legislate on how the app will be allowed to operate. To uphold the Rule of Law, legislation is necessary to ensure that there is a clear lawful basis for processing for such potentially intrusive data collection and use, including explaining why processing is necessary, and including detailed procedural safeguards against abuse or misuse.
Legislation governing the app is essential, this would follow the UK's peers at national level and also the activity of regional bodies. The European Commission has already published draft rules on the development of contact-tracing apps in the context of COVID-19. In Australia a ministerial determination is the legal instrument that temporarily underpins the use of the app until legislation can be passed through a reconvened Parliament in early May. It has been described by law firm Gilbert and Tobin as "sparse but seems clear-cut in its protections" .
First, it is essential that Parliament debates whether this method, which is reliant on a huge amount of sensitive data, is necessary and proportionate even in the current crisis. Second, parliamentarians need to confront issues around the safeguarding of personal data, oversight of the app, and deletion of the app and the collected data once it is no longer epidemiologically useful. The need for debate is particularly acute in light of the NHS's confirmation that the system will be centralised, rather than decentralised as recommended by privacy experts .
Contact tracing is a fundamental mechanism of outbreak control, a tool used by public health professionals to identify all people who have had close contact with a person who has tested positive for COVID-19. Contact tracing apps go beyond telephone-based contact tracing (for which the UK government is currently recruiting ) and enable rapid symptom reporting by individuals on their mobile phones. Bluetooth is used to log the distance between phones and other phones nearby; this log is stored on the phone to enable users of the app to be alerted if they have come into 'significant contact' with a person who has tested positive.
The government still has to pass through a number of stages before CV19 can be delivered. But despite the government's commitment to "transparency, ethics and the law " and important consultation with the Information Commissioner , a full parliamentary debate is not yet considered as one of these stages. Led by Professor Lilian Edwards, a group of academics in the UK have already published a draft Bill , showing what legislation that puts in place "safeguards in relation to the symptom tracking and contact tracing apps that are currently being rolled out in the UK" could look like.
The UK government should adopt a variant of this Bill, particularly in light of the extensive concerns raised during the oral evidence given to the Science and Technology Committee in a session on 28 April 2020. These include risk of, in the words of Professor Edwards, a "mass land grab in extensive state surveillance". The importance of caution and debate is amplified by the shadows cast over the accuracy of such an app as we are still, according to Professor Danny Altmann's evidence in the same session, "flying blind" in understanding exactly who transmits COVID-19, and how it is transmitted.
There are a range of important issues which need to be considered in parliamentary debates, including:
- Justification of the UK's selection of a 'centralised' approach, and the consequences for iOS users given Apple's refusal to support centralised systems
- How to ensure the app uses the minimum amount of data necessary to fulfil its function: preventing the spread of COVID-19;
- How to protect anonymity, including preventing re-identification of users from anonymised data;
- Open-source publication of the protocol;
- Who will be able to access the data, both within government and relating to third parties;
- Protections around data storage, sharing, and deletion