Can contact tracing app help ease lockdown?: Five key questions for UK government

Contact tracing app

With coronavirus cases finally falling in the UK, thoughts have turned to how to ease current lockdown conditions.

How can we return to some semblance of normality, and how will that look? Of course, the virus itself hasn’t disappeared, so there is a real danger of repeated spikes in new cases once the current social distancing measures begin to be relaxed.

One way of ensuring that new outbreaks do not spiral out of control is to put in place an effective means to test potential new case, trace contacts and quarantine potential carriers. Along with employing an estimated 18,000 ‘contact tracers’, the UK hopes to use technology to track and trace contacts, through a newly developed smartphone app.

The UK certainly isn’t alone in developing an app. Most European countries are also doing so, while similar apps have been in operating in South East Asia for some time. The apps work by recording proximity with other users of the app, so that when one individual tests positive or displays symptoms, all those who have been in proximity with the individual can be alerted automatically.

In the UK, the app is being developed by NHSX, the digital arm of the NHS in England. It is being tested in the Isle of Wight and is expected to be available more widely later this month. While there is an obvious need for speed in developing and rolling out contact tracing technology, if not done correctly, it could undermine rather than help efforts to contain the virus. Here are my five key questions that the government needs to answer:

Why has the government chosen to reject the model proposed by Apple, Google and other European countries?

There are many different ways to make a contact tracing app. Still, broadly these fit into two types – a centralised model, which relies on a central database of contacts, and a decentralised model, where contacts are stored locally on individuals’ phones. Apple and Google, the companies responsible for the majority of smartphone operating systems, have teamed up to develop a decentralised approach.

Most European countries have also chosen a decentralised model, which many experts believe is more secure and better for privacy. It also has the advantage that the apps can work across borders, which will be crucial when travel begins to open up. So the question for the UK government is, why take the opposite approach?

When will a data protection impact assessment be published?

Contact tracing, particularly the centralised model, involves the processing of personal information on a vast scale. Data protection laws apply whenever personal information which relates to identifiable individuals is collected and used.

When contemplating such a huge data collection exercise, organisations must carry out a data protection impact assessment. This is essentially a risk assessment, describing what data is collected and how it will be used, the associated risks, and any measures to mitigate those risks. The government has said that the UK’s app will meet all data protection requirements. So, why not publish the assessment?

Why not put statutory limits on the use of data?

The app will collect information about every user. This sort of information is a valuable commodity. Academics, security experts and privacy campaigners have raised real concerns about the potential for ‘mission creep’. Governments or private companies could use an app designed to trace potential contacts for all sorts of other purposes.

The government denies this and has stated that data will only be used as part of the fight against coronavirus and will be deleted once it is no longer needed. But the government will need the public’s trust for the app to work, and trust in governments is generally in short supply. So, why not legislate to ensure that the app and the data it generates is strictly limited? A group of academics has even drawn up draft legislation to do just that.

How will the government ensure enough people actually use the app?

The BBC has reported that up to 56% of the UK population will need to download and use the app for it to be effective. That’s 80% of all smartphone users. While many people will want to support measures aimed at easing the lockdown and preventing future outbreaks, it will be a huge challenge for the government to get anywhere near these numbers.

There is a danger that the app will never reach the sorts of numbers required to have an effect on managing the virus. If this is the case, will the government choose to make the app compulsory? And what about those without smartphones, or with older models that won’t support the app? These are real concerns which need to be addressed by the government now.

How can we be sure that the app is accurate?

Imagine that you download the app and receive an alert, warning you that someone you have been near to has exhibited symptoms of COVID-19. What happens next? Most of us would immediately self-isolate to ensure that we haven’t been infected. But this only works if the alerts are accurate. And here there are real challenges for the government.

From what we currently know, the alert will be triggered by self-diagnosis of symptoms, rather than confirmed test results. This is likely to mean a lot of false alerts. Individuals who receive an alert will then need to self-isolate until they are tested. Without access to quick and reliable testing, the app could find itself inadvertently spreading fake news, doing more harm than good. There are also technical challenges around the use of Bluetooth and the potential for some contacts to be missed, while others are recorded despite being at no risk (for instance being physically close but separated by a barrier).


Jon Belcher

Jon Belcher

Jon Belcher is a commercial lawyer with Blake Morgan, specialising in information governance, data protection compliance, information sharing and freedom of information issues.
Jon Belcher

https://www.blakemorgan.co.uk

Jon Belcher is a commercial lawyer with Blake Morgan, specialising in information governance, data protection compliance, information sharing and freedom of information issues.