Updated 11 May 2020
Could mobile phone apps which trace contacts be part of the solution to the COVID-19 pandemic? This blog takes a very brief look at some of the main issues.
Current developments
There is already considerable momentum behind contact-tracing apps worldwide.
Various countries such as Iceland, Austria, Singapore and Australia already have them. And apps have also been part of South Korea and China’s response (albeit combined with more intrusive forms of surveillance).
Google and Apple are also cooperating to ensure their devices work with third party apps.
NHS England’s digital body, NHSX, is also developing an app which is currently being tested on the Isle of Wight.
This is a UK Government approach and it is not yet clear what role the app might have in Scotland.
The Scottish Government has recently stated in its Test, Trace, Isolate, Support document that it is looking for greater involvement in the app and that it, “needs to understand how data from this app will interface with the Scottish approach to contact tracing.”
What do contact-tracing apps do?
Traditionally, contact-tracing involves health workers using interviews to track down the close contacts of those who are infected with a communicable disease (this is often known as manual contact-tracing).
Contact-tracing apps aim to speed up this process by utilising the fact that most people have smart phones (79% of UK adults according to Ofcom’s Communications Market Report 2019). Proponents argue that manual contract tracing alone is not fast enough to stop the virus’s spread.
In the UK, the initial UK plan was to use GPS location data to record people’s movements.
Location data raises bigger privacy concerns as it means that governments get information on people’s movements. In common with many other countries, the UK plan now involves using phones’ Bluetooth signals to record “proximity data” (i.e. anonymised details of close contacts but not their locations).
The UK app will be voluntary. People can choose whether or not to use it. The app would exchange randomised identifiers via Bluetooth to record close contacts (e.g. those closer than 2 metres for 15 minutes). For more details see the National Cyber Security Office’s blog.
The UK app works on a self-reporting basis. So, if someone has symptoms, they could choose to use the app to alert these close contacts – who could then be advised to self-isolate.
The app will record proximity data, not data about geographical location. However, NHSX has indicated that people may be given the option to share more detailed data in the future with the aim of spotting epidemiological trends and disease hotspots.
What about privacy?
Privacy is arguably one of the biggest concerns. The UK app will have to comply with UK data protection law, and human rights and equality law. It will also need to ensure patient confidentiality.
Trust is a key factor in whether people share data. The degree to which people trust the NHS/the UK Government to protect their privacy will therefore impact on the uptake of the app.
Data protection
Data protection legislation controls the use of personal data in the UK. The Information Commissioner’s Office (ICO) is the UK regulator.
The UK’s Information Commissioner has explained that voluntary Bluetooth contract-tracing apps may be lawful but that systems should:
- ensure privacy by design (i.e. privacy should be integrated from the beginning)
- give users full control over their data (both on use and options for preventing processing)
- ensure that the collection and use of personal data is necessary and proportionate (i.e. the minimum needed)
- provide clarity on what happens to the data once the crisis is over.
There is, however, substantial debate about the best way to protect privacy.
One example is the debate about where proximity data should be stored. The centralised approach favours storing and processing all the contact data of those who have become symptomatic on a central database. In contrast, in the decentralised approach this should happen on people’s phones, with a central server only relaying information to phones once someone becomes symptomatic.
Those in favour of a decentralised approach, such as the DP3T project, highlight several benefits:
- it involves the minimum amount of data being shared
- it stops authorities using proximity data to analyse people’s social contacts, and
- it limits the potential for abuse – e.g. governments later identifying people and tracking them continually when using the app.
There are also arguments that only decentralised systems will work properly with Apple and Google phones, although NHSX insists this is not the case.
A large group of UK academics have argued for decentralised systems. And a range of countries including Germany and Switzerland are taking this approach.
In contrast, the UK, and countries such as France, are following a centralised approach. The view of NHSX is that this will provide the health service with better insight into epidemiological trends. There are suggestions though that the UK Government may also be developing a decentralised version of the app which could replace the current one depending on the outcome of testing on the Isle of Wight.
The Information Commissioner has stated that the starting point should be for decentralised systems. However, in evidence to the Joint Commons and Lords Committee on Human Rights she explained that centralised systems can still protect privacy if designed correctly.
Human rights and equalities
Data protection and privacy isn’t the only potential problem.
There are also concerns that over-reliance on a tech solution may have an adverse impact on certain groups. Examples include those who are less likely to use smart phones, such as older people and children, and those who do not trust their data to be protected within government (for example because of fears that it will be shared with other government bodies beyond the NHS).
This has led some to argue for the need for additional protections. For example, Professor Lilian Edwards of Newcastle Law School has argued that there should be separate legislation to do this, which would include independent oversight.
The Joint Committee on Human Rights published a Report on the contact-tracing app on 7 May. It concluded that the app could potentially have a positive effect, but that there are significant human rights concerns which need to be addressed. It also stated that separate primary legislation was needed.
To what extent will apps work to slow the spread of the disease?
Even if privacy can be protected, another crucial question is the degree to which apps will work to slow the spread of COVID-19.
Assuming Bluetooth technology is sufficiently accurate, the number of people who actually use an app will be a key factor.
This is a very high threshold which NHSX has admitted would need a lot of buy-in and trust to be met It is, however, of the view that the app would still have significant value if its use was less than desired.
In any event, it seems that apps will only be one aspect of the exit strategy.
This view is also echoed in the Scottish Government’s “Test, Trace, Isolate, Support” document. It states that any contact-tracing apps will not be a substitute for the Scottish Government’s general contact-tracing strategy.
Angus Evans
Senior Researcher, Justice Health and Social Affairs Research Unit