Contact tracing apps: one way out of lockdown

Contact tracing apps work by notifying those who have been in close proximity with an individual diagnosed with COVID-19, thereby helping to interrupt infection chains. Whilst each app will be slightly different, broadly speaking app users will exchange anonymous tokens with other app users in their proximity, typically via Bluetooth. Should an infected person upload their diagnosis on their app, a message will be sent in-app to all users who had recently exchanged tokens with the infected user and are therefore deemed an infection risk themselves. Those who have been notified will, we understand, be encouraged to self-isolate and/or report for testing to check whether they have actually been infected.

As far as we know, the NHSX app is the only serious developer in the UK at the moment but private companies and other public bodies may be in the process of developing such apps for deployment in the UK. We know for example that Netcompany, a Danish business employing 400 people in the UK, have developed an app which has been chosen by the Danish government for official roll out in Denmark. King's College London also released a symptom reporting app in March (which has already been downloaded by over 2 million in the UK), which they have used for their own clinical research purposes.

Contact tracing apps are just one type of app being considered in the global fight against COVID-19. Others include symptom tracking applications and those that produce digital immunity certificates (the latter theoretically granting those who have immunity to the virus certain privileges).

If the app processes personal data, compliance with the EU General Data Protection Regulation (GDPR) will need to be considered. Government ministers have said that little or no personal data in the ordinary sense of the meaning will be processed by the app (such as a user's name). However, under the GDPR personal data is defined broadly and can include data that identifies an individual by reference to a unique identifier (which is the case with the NHSX app where a unique "anonymous" token will be assigned to each user).

More conventional personal data that might be involved (whether at the app's launch or as seen in a later iteration) ranges from identity data such as the user's name, location data and health data. Note that health data is classified as "special category" personal data under the GDPR (i.e. more sensitive) and subject to stricter obligations. Any processing of personal data is likely to be justified on the grounds of consent of the app user or public health.

Whilst the final format and content of the app is still being tested, at a meeting of the UK Human Rights Committee on 4 May, Matthew Gould the CEO of NHSX explained that users will be required to enter the first half of their postcode onto the app. This will assist the Government in identifying particular virus hotspots and tracking infection rates. Perhaps more worryingly, he went on to say that the app will evolve during its lifecycle and that NHSX may request personal data such as age and gender details, with any such request grounded upon user consent.

If age, gender and the first part of a user's postcode are the only data collected, from a security perspective this is unlikely to result in being able to identify a user by name. However, this data would still be subject to the GDPR for the reasons set out above.

In April Google and Apple announced a joint initiative including the launch of an application programming interface which would enable app users on Google and Apple devices to communicate anonymised tokens from their respective apps via Bluetooth. This initiative envisages a decentralised storage of data – any personal data would be stored on the individual's device, and there would be no exchange of identifiable personal data between two devices. As noted by the ICO, as a general rule this approach is more in line with the GDPR data minimisation principle.

One of the reasons why NHSX favours a centralised approach is thought to be a desire to reduce the number of notifications which turn out to be "false positives" (e.g. because the level of contact was so minimal that it could not have resulted in transmission of the virus). This may be out of concern that too many false positives will undermine confidence in the app, potentially leading people to delete it from their smartphones. Other concerns about the decentralised approach are thought to relate to the greater potential for malicious use and the difficulty of using it to collect data centrally to monitor the spread of the virus across the country. However, the NHSX's centralised approach raises more issues under both human rights and data protection law, as set out in this legal opinion here from Matrix Chambers and the data rights agency AWO (which also outlines further concerns about proposed data sharing between the public and private sectors).

The guidance from the UK regulator, the ICO, and the EU is united in the view that data protection legislation should not be viewed as an inconvenience but rather as integral to the construction and maintenance of such apps. This position is understandable for many reasons, not least if defective security measures mean that the app is hacked resulting in app users receiving false notifications – in such circumstances, the app could be an obstacle to economic recovery and containment of the virus.

Looking across to Europe, EU bodies have recently published a Roadmap towards lifting containment measures which envisages the vital role that apps may play in the immediate future as well as a specific "Toolbox" providing guidance to EU Member States in the design of contact tracing apps. The Toolbox, in particular, largely reflects the guidance issued by the ICO and outlines that fourteen Member States have either launched or intend to launch such apps.

Businesses may wish to make use of contact tracing apps as a way to help provide an additional assurance that those entering premises – whether employees, customers or other visitors – do not appear to have been infected. One way of doing this would be to ask individuals wishing to enter whether they have the app installed on their smartphone and if so, what their status is (i.e. that they have not received a possible infection alert). Indeed, given the need for very high take-up of the app, it is possible that Government may actively encourage businesses to take this kind of approach – because if people are regularly being asked about the app on entry to their workplace or when they do their shopping, they may be more likely to download it.

The extent of an employer's responsibility for privacy in relation to such apps will depend to a certain degree on whether (i) the employer is simply relying on its employees to pass on relevant information to it, generated from Government sponsored contact tracing apps to the extent that employees have loaded these onto their smartphones or (ii) the employer opts to take matters into its own hands by procuring/imposing its own technology solution via an app.

Nevertheless, there are similarities between reliance on an employee using the Government backed app and an employer using technology they have developed or procured on their own. In both cases: (i) the processing of data will need to have a lawful basis, (ii) the employer should only process the data it needs, (iii) privacy policies will need to be updated so that the employer is transparent about the data it is collecting and what the data will be used for and (iv) data will have to be kept secure and only for so long as necessary. Similar measures will need to be adopted as those put in place to process other COVID-19 related personal data (for further details of such measures, please see our earlier briefing here).

Employers will also have to consider the impact which contact tracing may have on health and safety obligations and update employment policies accordingly. For example, they may well have to prevent employees who are traced by an app as having been in contact with an infected person from entering the workplace, even when an employee is otherwise seemingly healthy.

Whilst these apps are most likely to impact organisations in the employment realm, there could be broader consequences, with the possibility of consumer facing businesses particularly in retail, leisure and hospitality sectors having to consider the collection of data from either the NHSX app or any other app with a recognised status in the market in respect of visitors/customers to their premises. For example, retail outlets may want to see whether a customer has a 'green light' confirming they have not been exposed to infection on an app before permitting entry. Similarly, when they are permitted to re-open, restaurants and gyms may want to take similar information when booking diners in or before readmitting gym members.

As noted above, any Government sponsored contact tracing app will need very high levels of take-up if it is to be fully effective and will also need to address a number of legal concerns (although in our view, the latter is not insurmountable). For these reasons and those discussed in this briefing, it would seem inadvisable for either Government or business to focus too heavily on technology-based solutions of this kind.

Other measures are likely to be equally if not more important in containing the virus, such as adhering to guidance about hand hygiene and social distancing and manual contact tracing (where people known to have been infected are contacted by public health officials and asked who they have been in contact with recently). Indeed, in respect of the latter, we note that the Government is in the process of appointing 18,000 manual contact tracers to assist with the contact tracing initiative which will partly offset some of the shortcomings of the app.

In addition, the Government ideally needs to ensure that adequate facilities are available so that someone who receives a notification through the app of possible contact with an infected person can be tested promptly to find out if they really do have the virus. A failure to provide this capacity may create a perverse incentive for individuals not to download the app (or not to carry their smartphones with them), out of concern that it may produce a significant number of "false positives", leading individuals to self-isolate when they do not actually need to because the person they have been in contact with does not in fact have the virus.

This is a rapidly developing area – since our earlier Firm briefing we know a great deal more. When the NHSX app is formally launched in the UK, watch out for supporting guidance and perhaps primary legislation from the UK Government about how individuals and businesses are to use such apps, together with guidance from the ICO.