Data Protection Issues related to Covid-19

The Failure of the UK’s Centralised Covid-19 Contact-tracing App by Oliver Butler

The Promise of a Contact-Tracing App

On 31st January 2020, the first two cases of Covid-19 in the UK were confirmed and it was reported that the NHS was seeking to trace their close contacts. By 29th February 2020, 23 cases were confirmed and over 10,000 people had been tested, including the first patient to be diagnosed who had not had any recent travel outside the UK. On the 5th March 2020, the UK moved from “containment” to “delay”. Initial manual contact tracing was abandoned on 12th March 2020 as capacity was overwhelmed: it only had capacity to trace the contacts of five patients per week. The UK went into a national lockdown on 23rd March 2020.

On 12th April, the Secretary of Health Matt Hancock announced that the UK Government would be developing a contact-tracing app. Contact-tracing apps seek to identify close contacts of an infected or symptomatic individual by Bluetooth proximity and send notifications which advise close contacts to self-isolate. The Government’s promised contact-tracing app did not materialise. It was abandoned in late June 2020, in favour of an alternative model using technology developed by Google and Apple. On 13th August 2020, a new app was announced for trials based on a decentralised model, rather than collecting and storing contact data centrally. It is not clear when these trials will be concluded.

Manual contact tracing had resumed in the UK in late May 2020, with the recruitment of 25,000 contract tracers. It has been criticised for failures to share enough data with local public health officials in a timely way, to contact non-English speakers effectively, to employ sufficiently trained and specialist contact tracers, and to do enough to encourage compliance with advice to self-isolate.

Germany launched its contact tracing app in mid-June 2020. At that time, the UK Secretary of State for Health described the UK app as the “cherry on the cake”, no longer the cake itself. Why then has the UK been so slow to develop a contact tracing app? The difficulties encountered cannot be explained alone by the legal issues faced by the Government.

A Dismissive Attitude towards Privacy and Data Protection

The Minister of State for Health Matt Hancock has shown a dismissive attitude towards privacy and data protection. In response to a question in Parliament about the lack of a Data Protection Impact Assessment, as required by the GDPR and intended to ensure that problems are identified and resolved before data processing starts, the Secretary of State Matt Hancock replied that he “wouldn’t be held back by bureaucracy”.

This is reflective of a key failing of the UK Government. That key failing is a tendency to tech-solutionism without an adequate concern to integrate privacy and data protection from an early stage. It stems from over-optimism about technology and a lack of realism and attention to the real challenges technological solutions pose. Technology can and must help to provide solutions to complex societal problems. Privacy and data protection rules are not barriers to be overcome but rather important processes and considerations to be integrated to improve the effectiveness of technological solutions. This is because privacy and data protection standards are important for the legitimacy of technological solutions and, therefore, ultimately their success. To think of them as “barriers” or “bureaucracy” holding the Government back is a serious error.

A Lack of Realism in “Going it Alone”

A lack of realism stemming from a over-optimistic tech-solutionism was main cause of delay in the development of a UK contact-tracing app. It led to the neglect of the need to work with existing technology companies. On 10th April 2020, Apple and Google announced the development of a contact-tracing API that allowed apps to function more effectively, but only provided that such apps adopt a decentralised approach to data. Decentralised apps contact match on individual devices without making a central database of all contacts. The two tech giants account for the overwhelming majority of smartphones. The Apple-Google API permits interoperability between apps if individuals cross borders.

The UK Government’s persistence to “go it alone” and seek a centralised database cost valuable time. It was ultimately unsuccessful, as the Isle of Wight trial revealed a failure of the centralised app to detect contacts with 96% of iPhones and 25% of Android phones. By contrast, apps based on the Apple-Google API detect 99% of contacts, although the accuracy of its proximity calculations is lower. On 18th June, the Secretary of State for Health Matt Hancock attributed the failure of the UK app to Apple and Google’s decision to only support decentralised apps: “our app won’t work because Apple won’t change that system”. That was entirely clear in April.

Limited Engagement by the UK Information Commissioners’ Office

The UK Government’s neglect for privacy and data protection has been permitted by the lax approach of the UK data protection authority. The UK Information Commissioner’s Office (ICO) has been criticised by the Open Rights Group for failing to put the UK Government under any serious pressure during the development of the UK app. It has adopted a “pragmatic” approach to enforcement during the Covid-19 pandemic. The Government failed to share a Data Protection Impact Assessment (DPIA) with the ICO before the launch of the Isle of Wight trial of the app. The UK Government were forced by the threat of legal action by the ORG, not by the threat of ICO action, to conduct a DPIA for the manual contact tracing system.

The limited engagement by the UK ICO was criticised by a cross-party group of 22 MPs in late August 2020, who called on the ICO to make full use of its powers to issue information, assessment or enforcement notices and to consider fines. They argued that the Government had used the ICO as a “shield against criticism”, while showing disregard for data protection safeguards.

The ICO has focused on providing advice and guidance as a “critical friend” to Government. On 21st August, the ICO responded to this criticism, emphasising the provision of “expert technical advice and support on information rights”, “challenge and feedback”, and the “need to strike a fine balance between enabling innovation in the public interest and protecting the public from the potential for unnecessary privacy intrusion which poorly informed innovation may cause”. The ICO also highlighted that a consensual audit of the Track and Trace programme has been agreed and the ICO reserves its ability to take regulatory action in the future. However, this will likely not satisfy critics who consider that its approach has been both too soft and too slow.

The Need for Good Governance

The unwillingness of the UK Government to implement realistic and well-designed systems, and the failure of the ICO to make it integrate privacy and data protection into its design, led to harmful delays. It is not “bureaucracy” that holds such projects back: it is a lack of good governance.

 

Dr Oliver Butler, Fellow, Wadham College, University of Oxford and Research Fellow, Bonavero Institute of Human Rights.

For more information on the context of this e-conference and the other papers see

 

Don’t miss the next paper on 29th September at 8:30 am (GMT+1)

Hong Kong: Covid 19 and Privacy by Anne Cheung

 

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Gravatar
Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Annuler

Connexion à %s

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.