Privacy campaign groups Big Brother Watch and The Open Rights Group have voiced their concerns that there is a lack of clarity from the government about how the data of users of the new NHSX contact tracing app will be protected.
Concerns
The privacy campaign groups are concerned that both the Track and Trace system and the contact tracing app appear to be risking the privacy of the public as regards their personal details and that a lack of clarity over this is contributing to a lack of trust in the system by the public and, therefore, may be endangering public health and prolonging the pandemic’s effects.
A key concern by the privacy groups is the apparent lack of a legally required Data Protection Impact Assessment (DPIA). A DPIA, introduced by the UK’s data regulator, the Information Commissioner’s Office (ICO), is a process that can reduce the likelihood of data breaches.
No Longer Based on Public Trust
The Big Brother Watch website highlights what it believes to shift by the UK government from creating and nourishing public trust towards simply relying on coercion and penalties to make contract tracing in the UK work. For example, Big Brother watch says “This new approach to contact tracing is no longer based on public trust, but on exclusion, criminal sanctions and police enforcement. Many people will be rightly shocked to find they’re refused entry to coffee shops and restaurants unless they hand over their personal contact details. This is an astoundingly excessive law that poses a serious risk to privacy and data rights.”
Open Rights Group
Although the Open Rights Group was pleased that, in June, the government scrapped its plans to use a centralised model for its Covid-19 tracker app and opted for the decentralised model (no big, central database), it is also very concerned about the apparent lack of a Data Protection Impact Assessment (DPIA). The Open Rights Group highlights its particular concerns over the government’s apparent lack of clear explanation of how bars and restaurants should keep data, and what the legal liabilities are. It points out that although the England and Wales App and QR code scan for a venue may record that some people were there, it does not give the full picture and there may be a security and privacy loophole. For example, if a person doesn’t have a modern smartphone, and simply hands their data to a pub or restaurant, the Open Rights Group is concerned that the person will have little or no privacy protection and that no thought appears to have gone into the privacy and risks, even though those risks are very tangible.
What Does This Mean For Your Business?
The failure of the previous tracing app, criticisms of a lack of an effective, large scale track and trace system for 6 months, and a lack of availability of tests, a large death toll, and recent criticism of the government by the media over what appears to be a confused strategy and messages have all contributed to reduction in the level of trust. This is a difficult backdrop with which to launch a new app to which the government wants all of us to subscribe to. It may be particularly bad for many businesses who have been forced to make difficult decisions to comply with COVID laws e.g. in the hospitality industry to hear that the UK government may not have met its own legal requirement for a Data Protection Impact Assessment (DPIA). Although posting the QR code at business premises is a way to make it easier for businesses to comply and help with track and trace, there may well be a grey area as regards the collection and protection of data for those who don’t have a smartphone with the capacity to work with the app system. Trust, transparency, and clarity are all areas the government may need to work on to make a test and trace system work, help businesses and protect public health.