What are the data privacy considerations of Contact Tracing Apps?

1 May 2020 by

Latest news: GCHQ has published a detailed blog article which seeks to explain (and defend) the new NHS contact tracing app, which the Government regards as the key to a controlled exit from lockdown.

Coronavirus presents a serious threat to society, legitimising the collection of public health data under Article 9:2 (g) of GDPR regulations, which allows the processing of such data if “necessary for reasons of substantial public interest”. Some of this collection will take the form of contact tracing apps, which have been used in containing the spread of coronavirus in countries such as Singapore. 

They work by broadcasting a bluetooth signal from a smartphone which is picked up by other smartphones (and vice versa), meaning that if one user contracts coronavirus, those who have been in contact with that user can be effectively warned and given further advice to stop the spread. 

NHSX, the body responsible for setting NHS data usage policy and best practice, has been developing a contact tracing app which is currently undergoing effectiveness trials at RAF Leeming. As it stands, the app either tells you “You’re okay now” or “You need to isolate yourself and stay at home”. It seems likely that this or a similar app will be rolled out over the UK in the coming months. 

Centralised vs. Decentralised Contact Tracing 

Two general architectures have been proposed for a contact tracing app: centralised and decentralised. On a decentralised architecture, after a positive diagnosis, one’s personal identifier is uploaded to a server which then broadcasts the identifier to all other phones running the app. One’s proximity contacts are recorded on one’s phone; if there is a match between a proximity contact and an identifier received by a phone, the user is alerted to the possibility that they may have contracted coronavirus. The central server therefore does not contain information regarding who may have contracted coronavirus from the matches. On a centralised model, one’s proximity contacts are uploaded to a central server, where the matches are made and then sent to the relevant phones. 

Imagine a supermarket queue: John sees his friend Ben and irresponsibly goes to talk to him, ignoring social distancing rules. They both have contact tracing apps installed on their phones. If those apps are built on the centralised model, the contact between them will be sent to a central computer. Then, if John gets coronavirus, the central system can check through all of John’s contacts, and issue Ben a warning to take precautions. The central system records all of the contacts between everyone using the app.

On a decentralised model, the contact between John and Ben is not stored on a central server; rather, it is stored on both of their phones. If John gets a positive diagnosis, the central server broadcasts that to all the phones with the app. Ben’s phone receives this information, checks its memory to find that it has been in contact with John’s phone, and tells Ben to take precautions. Crucially, on the decentralised model, the central server (and thus the relevant health, government authority, or hacker attempting to steal health data) does not know that Ben has been in contact with John, and does not know Ben is at risk unless he decides to report it.

The NHSX contact tracing app is built on a centralised architecture. As such, it will collect the contacts of those who use the app. One significant advantage of the centralised architecture is that the relevant public health authority, such as the NHS in Britain, has access to a fairly complete picture of the spread of coronavirus among those who have adopted the app, via the ‘social graph’ created on the central server. This is a dataset which charts all the interactions between people, and can be used to track the spread of coronavirus. However, data privacy activists worry about “mission creep”: how long will this dataset be kept, and could it be used for other purposes than tracking the spread of coronavirus? Could the system be engineered to order individuals to self-isolate even if they had no symptoms, if for example they’d had too many contacts? The answer to these questions is unclear, which is one of the reasons why a group of 177 academics working in information security and privacy* have called for an immediate Data Protection Impact Assessment (DPIA).

Cyber security watchdogs the Information Commissioner’s Office and European Data Protection Board have both said that they marginally prefer the decentralised model as it limits the data open to potential attack. However, they have also both said that either can be consistent with the necessary data protection requirements of Art. 25 (1) of GDPR, which requires data controllers to “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation”.

Legal Protections 

Professor Lilian Edwards, Professor of Law, Innovation & Society at Newcastle University, has argued for the need for new statute to enshrine basic data safeguards regarding the use of contact tracing apps and other digital tools to fight coronavirus. The proposed statute focuses on three main areas: First, that there shall be “No sanctions for failing to carry personal devices, install or run application”. Secondly, there should be “No mandatory requirement to install application or display messages received by application without due safeguards” . Thirdly, there should be “No repurposing or sharing of personal data derived from symptom tracking and contact tracing apps”. The proposed legislation also reiterates cybersecurity experts’ calls for an immediate DPIA.

Motivating the proposed legislation are a number of concerns. First, a significant minority of British people do not own smartphones with the necessary Low Energy bluetooth technology to employ contact tracing apps. Contact tracing apps, the legislation holds, must not be used to further exclude the already digitally excluded. Secondly, contact tracing apps depend on uptake for their success. Since the government estimates around 50-60% of the population needs to download contact tracing apps for them to be successful, then it needs close to universal adoption from those who can use them. Restating in hard law the privacy entitlements could reassure people of their rights and encourage them to adopt the apps.

Equally significant is the danger of “scope creep”. The ICO argues that purpose limitation is a “core principle of data protection internationally”. Professor Edwards’ proposed legislation particularly draws attention to the data subjects Chapter 3 rights under GDPR, such as the right to access data, right to rectification, right to erasure, and right to restriction of processing. Reinforcing those rights in the context of contact tracing apps could reassure the public that data protection considerations were being put front and centre. Such a concern is also present in the clause that calls for an immediate DPIA.

Similar legislation has been passed in Australia to coincide with the rollout of their national contact tracing app CovidSafe, the Biosecurity Determination 2020. Significantly, it specifies that:

“(2)  A person must not:

(a)  refuse to enter into, or continue, a contract or arrangement with another person (including a contract of employment); or

 (b)  take adverse action (within the meaning of the Fair Work Act 2009) against another person; or

(c)  refuse to allow another person to enter premises; or

(d)  refuse to allow another person to participate in an activity; or

(e)  refuse to receive goods or services from another person; or

(f)  refuse to provide goods or services to another person;”

Much like Professor Edwards’ proposed legislation, the Biosecurity Determination 2020 explicitly states that the purpose of the statute “is to make contact tracing faster and more effective by encouraging public acceptance and uptake of COVIDSafe”, rather than to implement novel legal protections. 

Of course, any use of contact tracing apps is reliant upon widespread availability of testing. To limit false positives, which could spread quickly through a contact tracing system, positive diagnoses of coronavirus would have to come from sanctioned tests. As the government’s testing program remains fairly limited in extent, the use of contact tracing apps and their privacy limitations remains fairly theoretical. Moreover, their effectiveness has been somewhat limited so far where they’ve been trialed. In Singapore, where uptake of the app was compelled among armed forces, uptake was only around roughly 12% of the population. To illustrate the point, if as much as 40% of the population downloaded the app, for any given encounter there would only be a 16% chance that both people would have the app and therefore benefit from digital contact tracing. It therefore remains to be seen how useful digital contact tracing will be compared to traditional contact tracing methods – simply asking people who they’d been in contact with.  

*Privacy activists has been updated to academics working in information security and privacy. Thank you to Professor Boiten for the correction.

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.




Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board care homes Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus coronavirus act 2020 costs costs budgets Court of Protection covid crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Facial Recognition Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy Professional Discipline Property proportionality prosecutions Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania round-up Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence shamima begum Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance sweatshops Syria Tax technology Terrorism tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal credit universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: