Contact tracing – breach of data protection?

15 May 2020 by

In the rush to lift the lockdown with safeguards, the government has given a green light to “contact tracing” via bluetooth apps on our smartphones (provided we own them and are willling to take up the app). See Rafe Jenning’s post on the technology behind this project.

Just to remind us what contact tracing via bluetooth apps means, I will recapitulate what Lord Sandhurst says in his introduction.

The government propose a centralised model, under which, I download the centralised app on to my phone. I will keep the phone, and the app, switched on at all times. It will record the identity of the phone of any person to whom I pass close and save that information. If I learn that I am infected I get that phone to pass that information to the central server of NHSX. The server then sends a message to all people with whom I’ve been in contact within a relevant time period, that tells them that they are at risk of infection but not directly, and from whom

This is a fast moving development and indeed this post may be rendered otiose in a week’s time, particularly as the UK does not, as yet, have entirely reliable antibody tests ( news just in is that this may change.) But on 13 May we had the benefit of a virtual gathering of legal experts in data protection, human rights and constitutional law facilitated by, amongst others, Lord Sandhurst (formerly Guy Mansfield QC of 1 Crown Office Row), on the results of the first test run of the tracing app in the Isle of Wight, courtesty of the Society of Conservative Lawyers.

I give the You Tube link to the webinar at the end of this post, but as developments in this area change so fast I would urge you to read in full the papers written by the panellists. Lord Sandhurst QC’s paper can be found here.

Dr Michael Veale at the Faculty of Laws, University College London, has published a paper analysing the the data protection impact assessment (DPIA) released by NHSX in relation to their contact tracing/proximity tracing app. The essence of Dr Veale’s argument is that a decentralised system would be the only proportionate response to the need to trace the spread of COVID-19, rather than the the centralised system proposed. He has grave doubts about the assurances given by the impact document. “The DPIA claims that you do not give data to the central server without your permission”, he says; “it’s only when you diagnose as positive that the data goes from your phone to the central server.” The impact assessment document maintains that this serves as a barrier from having your privacy invaded. Unfortunately, says Dr Michael Veale, the NHSX system, like all centralised systems, is designed so that other people provide data about you. He posits this scenario as an example:

[say] you were in a cafe, sitting at a table, and there are two people at a table next to you, your phone saw that these people were next to each other at a certain period of time. Say you later get a test, you would be sending that data up to the cloud, and that data would say “person A and person B were colocated at once.” and that’s how the social graph is built up in the cloud.

so, says Dr Veale, there are questions about anonymity; and reading the DPIA there seems to be a war between people who, for PR reasons, want to say this data is anonymous and the data protection and governance people who say that legally this data is not anonymous and really far from it.

Erasure and access issues

The government has claimed that there would be no way to re-identify the data in the server because it was technically impossible; but that’s only because they’ve designed it out of the system. It would be a simple step to design it back in.

The need for legislation

Where automated decision making has an effect on an individual, it needs a legal basis. In Dr Veale’s view, this legal basis is lacking in this particular situation.

Risks to fundamental rights and freedoms

Data protection law is meant to deal with power imbalances in the information world. The government released a register of “low” risks to data protection, including the possibility that every single bluetooth tracing app you could design allows any “tech savvy user”, to identify whether the person next door tested positive for coronavirus. This is not “low risk”. This is confidential patient information. A statute should be passed to lend legal basis to this system.

Professor Lillian Edwards, specialist in technology law at the University of Newcastle, has serious concerns about the assumption that “code replaces law”. As author of the Bill to protect the data privacy of citizens should contact tracing become a thing, she points out that

Data protection was once a very technical and nerdy matter; now it’s become a highly political matter and the Information Commissioner, though reasonably resourced within Europe, is fighting a “David and Goliath battle” with companies like Google and Facebook. To put this entire enforcement burden on the Information Commissioner seems unhelpful in this strange emergency situation where human rights are under threat.

The Coronavirus (Safeguards) Bill came out on 13 April. Professor Edwards was warned that there was “no way” this would ever be passed. To her surprise, Australia passed a very similar privacy law vis a vis their own centralised tracing app on the same day. It has legal safeguards which are now effectively being trailed.

You shouldn’t have to have a smartphone (20% in UK society do not own smartphones, and therefore should not be further excluded and disempowered)

…For this incursion into privacy to be justified, there has to be very high takeup

But for example a private sector employer is free to refuse to employ someone unless they have a smartphone with the app.

Is this a “responsible thing for a society to allow?” That kind of compulsion is not “ruled out by current data protection law”.

So what do we do? Take a GP’s waiting room – it may be justified to stipulate that people have this app on their phones. This is proportionate. But the Australian bill says that there should be no coercion at all.

There are other choices. How do we legislate for “immunity passports”? Given that we are not even sure that antibodies confer immunity, the contact tracing app and immunity passport may become an instrument for discrimination. What kind of discrimination or exclusion are proportionate to the benefits they confer on society as a whole?

Dr Michael Veale responded to Professor Edwards’ points by alerting us to the fact that we focus on privacy perhaps to the detriment of other issues. This app, Dr Veale stresses, is tending towards a platform for a coercive programme for individuals, neighbourhoods, communities, civil societies, leading to “programmable populations” –

You render the world legible and then try to manipulate it. This is an unprecedented change. This is trying to get at some of the power that Google and Facebook have had online, but trying to give it to the state in this situation.

Dr Veale expressed great concern about this “mission creep”

Anyone watching the You Tube recording of this webinar may be interested by the questions put the panel:

This app is for self-asserted symptoms, not certified test results. Is this a justification for going down the centralised route. In other words, is it that the tests are not proving reliable enough, quickly enough in the UK? Therefore should we be willing to take on the risk of false reporting?

But as Dr Veale points out, this enables people to target particular individuals, such as children pointing at their parents, employees their employers, identifying celebrities on the Dark Web and downloading and sharing identifiers online in order to place them into quarantine. Dr Veale’s team does not accept that it is not possible to detect abuse, small or medium scale fraudulence in this context.

So where does this take us? The NHSX app at the moment is , in Dr Veale’s words,

one step away from permanent identifiers that connects your name or your real identity explicitly rather than implicitly as they do right now.

So this has implications for quarantine control. It’s very easy for the government to introduce bluetooth sensors in supermarkets and railway stations to assess how often we go out, and this is a reason for concern.

Another question put to the panel was whether there are any existing laws that can prevent discrimination against individuals that choose not to download the contact tracing app. Barrister Simon Murray did not think that there is any legislative protection, even under the Equality Act, that would provide a ground for a legal challenge. Infection with Coronavirus is not a protected ground under the Equality Act.

What about the consequences of this app’s action? What happens to those who’ve been alerted as to proximity, will they be penalised if they leave their home? In Taiwan, quarantine is enforced by an app on your own phone – so if you leave your home, the app reports your actions to authorities.

Professor Edwards did not think the route taken by China and Taiwan would be acceptable in this country. It will “always be disproportionate to impose sanctions on somebody for failing to self isolate, or breaking self isolation, on the basis of not even your own self reported symptoms but the self reported symptoms of somebody else” –

In the Coronavirus Regulations and in the primary emergency legislation (CA2020) there is a loophole: if a direction is given to a potentially infected person then they can be fined or sanctioned for breaking that direction. So the question is what becomes of the direction at that point.


Enforcing quarantine on a particular individual under a direction made under the Regulations which in turn were made under the 2020 Act gives no right to appeal. A police officer can direct you back to your residence but he can’t keep you there; can he direct you to be quarantined? This is not clear.

In conclusion, the panellists noted that Germany, the Republic of Ireland and other countries are pursuing a decentralised system of information via smartphones. Only France and Norway are pursuing a centralised system like we are proposing to do.

You can replay the webinar “The Covid-19 App – does it threaten privacy rights” via You Tube.


  1. Trevor Grundy says:

    I endorse the comments of counsel on this point.

    It seems the government’s approach to the situation has moved from “Too little; too late” at the outset to, when considering easing back, to “Too much; too soon”. Has the Cabinet actually read Article 2 and related decisions, I wonder?

    Trevor Grundy FCILEx

  2. Amy says:

    It seems we are missing the point somewhat. There is absolutely no way to keep this “personal” information anonymised. How anonymous is your data if the app records your location via blutetooth, ie going from home to work every day, your identify is therefore not anonymous at all! It is impossible to keep your identity private when you agree to have your location constantly active. Furthermore, can anyone please* tell me the aim of this app beyond surveillance? Does anyone else not see how utterly uselessness of self-reporting via an app and collating information on possibly infected but otherwise healthy people with no applicable powers to enforce quarantine on those suspected or tested as positive is meant to achieve? What can this app achieve that NHS 111 cannot? What possible benefit can this surveillance have on our health, when weighed with the enormous cyber security and personal intrusions this clearly has when the subtext of corona posing no real risk to 98% of the population? We’ve lost the plot. Instead of questioning the need for this we’ve just excitedly delved into the logistics of the how. Lawyers can only go so far. We desperately need bio-tech experts here to weigh in on the true utility of this unprecedented access to our health data.

  3. they force foreigners to give biometrics and carry these least secure phones possible so they can track and record everything they do and say….how long before rest of the population?

  4. englishman1957 says:

    All pretty alarming. So much so that it has led even one of our leading public lawyers to call the Equality Act ‘the Equalities Act’!

    1. Rosalind English says:

      Thank you for pointing that out – editorial mistake, not the panellist’s! Now corrected.

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.




This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.


Aarhus Abortion Abu Qatada Abuse Access to justice adoption ALBA Al Qaeda animal rights anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 Artificial Intelligence Asbestos assisted suicide asylum Australia autism benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery Catholicism Chagos Islanders Children children's rights China christianity citizenship civil liberties campaigners climate change clinical negligence Coercion common law confidentiality consent conservation constitution contempt of court Control orders Copyright coronavirus costs Court of Protection crime Cybersecurity Damages data protection death penalty defamation deportation deprivation of liberty Detention disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Court of Justice evidence extradition extraordinary rendition Family Fertility FGM Finance foreign criminals foreign office France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage Gaza genetics Germany Google Grenfell Health HIV home office Housing HRLA human rights Human Rights Act human rights news Huntington's Disease immigration India Indonesia injunction Inquests international law internet Inuit Iran Iraq Ireland Islam Israel Italy IVF Japan Judaism judicial review jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid Leveson Inquiry LGBTQ Rights liability Libel Liberty Libya Lithuania local authorities marriage mental capacity Mental Health military Ministry of Justice modern slavery music Muslim nationality national security NHS Northern Ireland nuclear challenges Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury Piracy Plagiarism planning Poland Police Politics pollution press Prisoners Prisons privacy Professional Discipline Property proportionality Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania Round Up Royals Russia Saudi Arabia Scotland secrecy secret justice sexual offence Sikhism Smoking social media South Africa Spain special advocates Sports Standing statelessness stop and search Strasbourg Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture travel treaty TTIP Turkey UK Ukraine USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wind farms WomenInLaw YearInReview Zimbabwe
%d bloggers like this: