The Promise of a Contact-Tracing App
On 31st January 2020, the first two cases of Covid-19 in the UK were confirmed and it was reported that the NHS was seeking to trace their close contacts. By 29th February 2020, 23 cases were confirmed and over 10,000 people had been tested, including the first patient to be diagnosed who had not had any recent travel outside the UK. On the 5th March 2020, the UK moved from “containment” to “delay”. Initial manual contact tracing was abandoned on 12th March 2020 as capacity was overwhelmed: it only had capacity to trace the contacts of five patients per week. The UK went into a national lockdown on 23rd March 2020.
On 12th April, the Secretary of Health Matt Hancock announced that the UK Government would be developing a contact-tracing app. Contact-tracing apps seek to identify close contacts of an infected or symptomatic individual by Bluetooth proximity and send notifications which advise close contacts to self-isolate. The Government’s promised contact-tracing app did not materialise. It was abandoned in late June 2020, in favour of an alternative model using technology developed by Google and Apple. On 13th August 2020, a new app was announced for trials based on a decentralised model, rather than collecting and storing contact data centrally. It is not clear when these trials will be concluded.
Manual contact tracing had resumed in the UK in late May 2020, with the recruitment of 25,000 contract tracers. It has been criticised for failures to share enough data with local public health officials in a timely way, to contact non-English speakers effectively, to employ sufficiently trained and specialist contact tracers, and to do enough to encourage compliance with advice to self-isolate.
Germany launched its contact tracing app in mid-June 2020. At that time, the UK Secretary of State for Health described the UK app as the “cherry on the cake”, no longer the cake itself. Why then has the UK been so slow to develop a contact tracing app? The difficulties encountered cannot be explained alone by the legal issues faced by the Government.
A Dismissive Attitude towards Privacy and Data Protection
The Minister of State for Health Matt Hancock has shown a dismissive attitude towards privacy and data protection. In response to a question in Parliament about the lack of a Data Protection Impact Assessment, as required by the GDPR and intended to ensure that problems are identified and resolved before data processing starts, the Secretary of State Matt Hancock replied that he “wouldn’t be held back by bureaucracy”.
This is reflective of a key failing of the UK Government. That key failing is a tendency to tech-solutionism without an adequate concern to integrate privacy and data protection from an early stage. It stems from over-optimism about technology and a lack of realism and attention to the real challenges technological solutions pose. Technology can and must help to provide solutions to complex societal problems. Privacy and data protection rules are not barriers to be overcome but rather important processes and considerations to be integrated to improve the effectiveness of technological solutions. This is because privacy and data protection standards are important for the legitimacy of technological solutions and, therefore, ultimately their success. To think of them as “barriers” or “bureaucracy” holding the Government back is a serious error.
A Lack of Realism in “Going it Alone”
A lack of realism stemming from a over-optimistic tech-solutionism was main cause of delay in the development of a UK contact-tracing app. It led to the neglect of the need to work with existing technology companies. On 10th April 2020, Apple and Google announced the development of a contact-tracing API that allowed apps to function more effectively, but only provided that such apps adopt a decentralised approach to data. Decentralised apps contact match on individual devices without making a central database of all contacts. The two tech giants account for the overwhelming majority of smartphones. The Apple-Google API permits interoperability between apps if individuals cross borders.
The UK Government’s persistence to “go it alone” and seek a centralised database cost valuable time. It was ultimately unsuccessful, as the Isle of Wight trial revealed a failure of the centralised app to detect contacts with 96% of iPhones and 25% of Android phones. By contrast, apps based on the Apple-Google API detect 99% of contacts, although the accuracy of its proximity calculations is lower. On 18th June, the Secretary of State for Health Matt Hancock attributed the failure of the UK app to Apple and Google’s decision to only support decentralised apps: “our app won’t work because Apple won’t change that system”. That was entirely clear in April.
Limited Engagement by the UK Information Commissioners’ Office
The UK Government’s neglect for privacy and data protection has been permitted by the lax approach of the UK data protection authority. The UK Information Commissioner’s Office (ICO) has been criticised by the Open Rights Group for failing to put the UK Government under any serious pressure during the development of the UK app. It has adopted a “pragmatic” approach to enforcement during the Covid-19 pandemic. The Government failed to share a Data Protection Impact Assessment (DPIA) with the ICO before the launch of the Isle of Wight trial of the app. The UK Government were forced by the threat of legal action by the ORG, not by the threat of ICO action, to conduct a DPIA for the manual contact tracing system.
The limited engagement by the UK ICO was criticised by a cross-party group of 22 MPs in late August 2020, who called on the ICO to make full use of its powers to issue information, assessment or enforcement notices and to consider fines. They argued that the Government had used the ICO as a “shield against criticism”, while showing disregard for data protection safeguards.
The ICO has focused on providing advice and guidance as a “critical friend” to Government. On 21st August, the ICO responded to this criticism, emphasising the provision of “expert technical advice and support on information rights”, “challenge and feedback”, and the “need to strike a fine balance between enabling innovation in the public interest and protecting the public from the potential for unnecessary privacy intrusion which poorly informed innovation may cause”. The ICO also highlighted that a consensual audit of the Track and Trace programme has been agreed and the ICO reserves its ability to take regulatory action in the future. However, this will likely not satisfy critics who consider that its approach has been both too soft and too slow.
The Need for Good Governance
The unwillingness of the UK Government to implement realistic and well-designed systems, and the failure of the ICO to make it integrate privacy and data protection into its design, led to harmful delays. It is not “bureaucracy” that holds such projects back: it is a lack of good governance.
For more information on the context of this e-conference and the other papers see
Don’t miss the next paper on 29th September at 8:30 am (GMT+1)
Hong Kong: Covid 19 and Privacy by Anne Cheung