The UK’s data protection watchdog confirmed today the government still hasn’t given it sight of a key legal document attached to the coronavirus contacts tracing app which is being developed by the NHSX, the digital transformation branch of the country’s National Health Service .
Under UK and EU law, a Data Protection Impact Assessment (DPIA) can be a legal requirement in instances where there are high rights risks related to the processing of people’s information.
Last month the European Data Protection Board strongly recommended publication of DPIAs in the context of coronavirus contacts tracing apps. “The EDPB considers that a data protection impact assessment (DPIA) must be carried out before implementing such tool as the processing is considered likely high risk (health data anticipated large-scale adoption, systematic monitoring, use of new technological solution). The EDPB strongly recommends the publication of DPIAs,” the pan-EU data protection steerage body wrote in the guidance.
Giving evidence to the human rights committee today, UK information commissioner Elizabeth Denham confirmed that her department, the ICO, is involved in advising the government on the data protection elements of the app’s design. She said the agency has been provided with some technical documents for review thus far. But, under committee questioning, she reserved any firmer assessment of the rights impacts’ of the government’s choice of app design and architecture — saying the ICO still hasn’t seen the DPIA.
“I think that is on the verge of happening,” she said when asked if she had any idea when the document would be published or provided to the ICO for review.
“Having that key document — and the requirement for the NHXS to do that, and provide that to me and to the public — is a really important protection,” Denham added. “Especially when everything’s happening at pace and we want the public to take up such an app, to help with proximity and notification.
“The privacy notice and the DPIA will both need to be shared with us and I do know that NHSX plans to also publish that so that they can show the public — be transparent and accountable for what they’re doing.”
The NHSX has given a green light for the ICO to audit the app in future, she also told the committee.
Coronavirus contacts tracing applications are a new technology which, in the UK case, entail repurposing the Bluetooth signals emitted by smartphones to measure device proximity as a proxy for calculating infection risk. The digital tracing process opens a veritable pandora’s box of rights risks, with health data, social graph and potentially location information all in the mix — alongside overarching questions about how effective such a tech will prove in battling the coronavirus.
Yesterday the BBC reported that the NHSX will trial the tracing app in the Isle of Wight this week.
“As we see the trial in the Isle of Wight we’ll all be very interested to see the results of that trial and see if it’s working the way that the developers have intended,” added Denham.
At a separate parliamentary committee hearing last week NHSX CEO, Matthew Gould, told MPs that the app could be “technically” ready to deploy nationally within two to three weeks, following the limited geographical trial.
He also said the app will iterate — with future versions potentially asking users to share location data. So while the NHSX has maintained that only pseudonymized data will be collected and held centrally — where it could be used for public health “research” purposes — there remains a possibility that data could be linked to individual identities, such as if different pieces of data are combined by state agencies and/or if the centralized store of data is hacked and/or improperly accessed.
Privacy experts have also warned of the risk of ‘mission creep’ down the tracing line.
Today the Guardian reported that the government is in talks with digital identity startups about building technology to power so called ‘immunity passports’, as another plank of its digital response to the coronavirus. Per the report, such a system could combine facial recognition technology with individual coronavirus test results so a worker could verify their COVID-19 status prior to entrance to a workplace, for example. (A spokeswomen for Onfido confirmed to TechCrunch that it’s in discussions with the government but added: “As you’d expect these are confidential until publicly shared.”)
Returning to the coronavirus tracing app, the key point is that the government has opted for a system design that centralizes proximity events on an NHSX-controlled server — when or if a user elects to self-report themselves suffering from COVID-19 symptoms (or does so after getting a confirmed diagnosis).
This choice to centralize proximity event processing elevates not just privacy and security questions but also wider human rights risks, as the committee highlighted in a series of questions to Denham and Gould today — pointing out, for example, that Denham and the ICO have previously suggested that decentralized architectures would be preferable for such high rights risk technology.
On that Denham said: “Because I’m the information commissioner, if I were to start with a blank sheet of paper [it] would start with a decentralized system — and you can understand, from a privacy and security perspective, why that would be so. But that does not, in any way, mean that a centralized system can’t have the same kind of privacy and security protections. And it’s up to the government — it’s up to NHSX — to determine what kind of design specifications the system needs.
“It’s up to government to identify what those functions and needs are and if those lead to a centralized system then the question that the DPIA has to answer is why centralized? And my next question would be how are the privacy and security concerns addressed? That’s what a DPIA is. It’s about the mitigation of concerns.”
Apple and Google are also collaborating on a cross-platform API that will support the technical functioning of decentralized national tracing apps, as well as baking a decentralized and opt-in system-wide contacts tracing into their own platforms.
The tech giants’ backing for decentralized tracing apps raises interoperability questions and technical concerns for governments that choose to go the other way and pool data.
In additional details for the forthcoming Exposure Notification API, released today, the tech giants stipulate that apps must gain user consent to get access to the API; should only gather the minimum info necessary for the purposes of exposure notification, and only use it for a COVID-19 response; and can’t access or even seek permission to access a device’s Location Services — meaning no uploading location data (something the NHSX app may ask users to do in future, per Gould’s testimony to a different parliamentary committee last week. He also confirmed today that users will be asked to input the first three letters of their postcode).
A number of European governments have now said they will use decentralized systems for digital contacts tracing — including Germany, Switzerland and the Republic of Ireland.
The European Commission has also urged the use of privacy preserving technologies — such as decentralization — in a COVID-19 contacts tracing context.
Currently, France and the UK remain the highest profile backers of centralized systems in Europe.
But, interestingly, Gould gave the first sign today of a UK government ‘wobble’ — saying it’s not “locked” to a centralization app architecture and could change its mind if evidence emerged that a different choice would make more sense.
Though he also made a point of laying out a number of reasons that he said explained the design choice, and — in response to a question from the committee — denied the decision had been influenced by the involvement of a cyber security arm of the UK’s domestic intelligence agency, GCHQ .
“We are working phenomenally closely with both [Apple and Google],” he said. “We are trying very hard in the context of a situation where we’re all dealing with a new technology and a new situation to try and work out what the right approach is — so we’re not in competition, we’re all trying to get this right. We are constantly reassessing which approach is the right one — and if it becomes clear that the balance of advantage lies in a different approach then we will take that different approach. We’re not irredeemably wedded to one approach; if we need to shift then we will… It’s a very pragmatic decision about what approach is likely to get the results that we need to get.”
Gould claimed the (current) choice of a centralized architecture was taken because the NHSX is balancing privacy needs against the need for public health authorities to “get insight” — such as about which symptoms subsequently lead to people subsequently testing positive; or what contacts are more risky (“what the changes are between a contact, for example, three days before symptoms develop and one day before symptoms develop”).
“It was our view that a centralized approach gave us… even on the basis of the system I explained where you’re not giving personal data over — to collect some very important data that gives serious insight into the virus that will help us,” he said. “So we thought that in that context, having a system that both provided that potential for insight but which also, we believe provided serious protections on the privacy front… was an appropriate balance. And as the information commissioner has said that’s really a question for us to work out where that balance is but be able to demonstrate that we have mitigations in place and we’ve really thought about the privacy side as well, which I genuinely believe we have.”
“We won’t lock ourselves in. It may be that if we want to take a different approach we have to do some heavy duty engineering work to take the different approach but what I wanted to do was provide some reassurance that just because we’ve started down one route doesn’t mean we’re locked into it,” Gould added, in response to concern from committee chair, Harriet Harman, that there might only be a small window of time for any change of architecture to be executed.
In recent days the UK has faced criticism from academic experts related to the choice of app architecture, and the government risks looking increasingly isolated in choosing such a bespoke system — which includes allowing users to self report having COVID-19 symptoms; something the French system will not allow, per a blog post by the digital minister.
Concerns have also been raised about how well the UK app will function technically, as it will be unable to plug directly into the Apple-Google API.
While international interoperability is emerging as a priority issue for the UK — in light of the Republic of Ireland’s choice to go for a decentralized system.
Committee MP Joanna Cherry pressed Gould on that latter point today. “It is going to be a particular problem on the island of Ireland, isn’t it?” she said.
“It raises a further question of interoperability that we’ll have to work through,” admitted Gould.
Cherry also pressed Denham on whether there should be specific legislation and a dedicated oversight body and commissioner, to focus on digital coronavirus contacts tracing — to put in place clear legal bounds and safeguards and ensure wider human rights impacts are considered alongside privacy and security issues.
Denham said: “That’s one for parliamentarians and one for government to look at. My focus right now is making sure that I do a fulsome job when it comes to data protection and security of the data.”
Returning to the DPIA point, the government may not have a legal requirement to provide the document in advance of launching the app to the ICO, according to one UK-based data protection expert we spoke to. Although he agreed there’s a risk of ministers looking hypocritical if, on the one hand, they’re claiming to be very ‘open and transparent’ in the development of the app — a claim Gould repeated in his evidence to the committee today — yet, at the same time, aren’t fully involving the ICO (given it hasn’t had access to the DPIA), and also given what he called the government’s wider “dismal” record on transparency.
Asked whether he’d expect a DPIA to have been shared with the ICO in this context and at this point, Tim Turner, a UK based data protection trainer and consultant, told us: “It’s a tricky one. NHSX have no obligation to share the DPIA with the ICO unless it’s under prior consultation where they have identified a high risk and cannot properly manage or prevent it. If NHSX are confident that they’ve assessed and managed the risks effectively, even though that’s a subjective judgement, ICO has no right to demand it. There’s also no obligation to publish DPIAs in any circumstances. So it comes down to issues of right and wrong rather than legality.
“Honestly, I wouldn’t expect NHSX to publish it because they don’t have to,” he added. “If they think they’ve done it properly, they’ve done what’s required. That’s not to say they haven’t done it properly, I have no idea. I think it’s an example of where the concept of data ethics bumps into reality — it would be a breach of the GDPR [General Data Protection Regulation] not to do a DPIA, but as long as that’s happened and we don’t have an obvious personal data breach, ICO has nothing to complain about. Denham might expect organisations to behave in a certain way or give her information that she wants to see, but if an organisation’s leadership wants to stick rigidly to what the law says, her expectations don’t have any powers to back them up.”
On the government’s claim to openness and transparency, Turner added: “This isn’t a transparent government. Their record on FOI [Freedom of Information] is dismal (and ICO’s record on enforcing to do something about that is also dismal). It’s definitely hypocritical of them to claim to be transparent on this or indeed other important issues. I’m just saying that NHSX can fall back on not having an obligation to do it. They should be more honest about the fact that ICO isn’t involved and not use them as a shield.”
