Test and trace in the world of data protection



In our last article on test and trace back in May, my colleague Ed Pullicino explained the technical aspects and data protection implications of the two different types of test and trace app the government was considering using to halt the spread of COVID-19. The government has since chosen to go with the de-centralised model created by Apple and Google, alongside a traditional manual test and trace system, after a pilot of the centralised model created by NHSX produced patchy results[1]. There were numerous concerns about the centralised model from a privacy and data protection perspective, as all data was held in one central location, which could be vulnerable to attack or misuse, and some people were concerned about the government being able to track people’s location or to repurpose the data for another use[2] [3]. So now that the de-centralised model has been chosen, is there any reason for concern?

Privacy impacts of the de-centralised model

The risks are relatively low, as the NHS Test and Trace app was designed with privacy protection at the forefront. To use the app, you don’t need to give your name, email address, telephone number or residential address. Your location data is not tracked via GPS. The data is mostly held on the user’s phone rather than on a central server and any data collected on the phone will be erased with the deletion of the app.

Perhaps the strongest sign of the app’s safety is that the ICO, as data protection regulator for the UK, has given its blessing for the app to be used[4]. The regulator was consulted throughout the app development process and has reviewed various iterations of the applicable DPIA. Elizabeth Denham, the UK Information Commissioner, has stated that the ICO will audit the whole Test and Trace ecosystem, to ensure it meets the relevant data protection obligations.

The app will only be successful if sufficient numbers of people use it, which will only happen if there are high levels of public trust in the system. It is therefore vital that the government convinces the general public that the system is safe and the Commissioner’s endorsement will hopefully assist in that regard.

Can businesses still use their own test and trace model for customers instead of the NHS app?

One function of the NHS app is that it allows customers to “check in” to venues by using a QR code scanner. Some businesses, such as pubs, restaurants and hotels, had already implemented their own QR code system for customers before the NHS QR code came in. However, in England, it is now law[5] that designated venues in certain sectors (including hospitality, tourism, amusement, close contact services, community centres and libraries) must display the NHS app QR code at the entrance or point of service (e.g. a till). Businesses must also have a separate, manual process for collecting data from people who don’t have smartphones or who don’t want to use the app. These records must be kept securely and out of sight of other visitors or customers and of any staff not using them. They must only include the government-listed information and must not be retained for more than 21 days or used for other purposes.

Whilst other QR code systems have not been banned, the government has stated that businesses in England using their own system should now switch to the official NHS QR code system, to avoid confusing customers[6]. This is particularly the case as the NHS app QR code needs to be displayed in addition to any other codes and cannot be read by any other app.

Can employers use their own test and trace model instead of the NHS app?

Despite the introduction of the NHS Test and Trace scheme, the current advice is still for employees to work from home wherever possible, as COVID cases have begun rising again in England. Where employees do need to go in to their place of work, some employers had already put their own tracing systems in place for staff before the NHS app was launched and are keen to continue using a tried and trusted method that their employees are used to. Others say that their own systems work better for their particular work environment because, for example, workers are asked to leave their phones in a locker all day, which would give the NHS app a false picture of who the individual is coming into close contact with and for what duration.

It is already mandatory for employers in designated venues to keep a record of all staff working on a given day, their shift times and their contact details[7]. Some employers’ processes record more data than this, but such companies need to be careful not to breach the data protection principle of minimisation, by carefully considering whether they really need the additional information and whether the collection can be justified as a proportionate measure, given the risks arising from both collection and non-collection.

It is not compulsory for employers to ask their employees to use the NHS app as well as keeping their own test and trace records, however employees in designated venues should be able to use the NHS QR code in addition to any company process, if they wish. In non-designated venues which do not have an NHS QR code, staff can have the NHS app activated on their phone whilst at work but may also be asked to take part in and adhere to any specific company test and trace scheme.

[1] https://www.bbc.co.uk/news/technology-53095336
[2] https://www.bbc.co.uk/news/technology-52441428
[3] https://drive.google.com/file/d/1uB4LcQHMVP-oLzIIHA9SjKj1uMd3erGu/view
[4] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/09/blog-data-protection-considerations-and-the-nhs-covid-19-app/
[5] https://www.legislation.gov.uk/uksi/2020/1005/made
[6] https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace
[7] https://www.gov.uk/guidance/nhs-test-and-trace-workplace-guidance