Coronavirus: NHS contact-tracing app must not be released to public without privacy protections, MPs say

Get the free Morning Headlines email for news from our reporters across the world

Sign up to our free Morning Headlines email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

The NHS contact-tracing app must not be released in its current form without increased privacy and data protections, a parliamentary committee has said.

The Joint Committee on Human Rights said it had “significant concerns” that must be addressed before it is rolled out to the general public nationwide.

The app, which is currently being trialled on the Isle of Wight, records users’ movements and can be used to alert people if they have had contact with someone who has developed coronavirus symptoms.

Ministers have hailed it as a key tool to study the spread of coronavirus and help them ease lockdown restrictions.

But privacy campaign groups have opposed its introduction and a group of UK academics working in cyber security, privacy and law recently signed a joint letter saying it could open the door to general surveillance.

The government has denied the claims but Harriet Harman, chair of the Joint Committee on Human Rights, said its assurances on privacy were “not enough”.

“The contact-tracing app involves unprecedented data gathering,” she added. “There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.”

The report called for new legislation to be drawn up governing the app’s data-gathering capabilities and guaranteeing data and human rights protections.

Committee members said they were highly concerned that the app has not yet been subjected to in-depth parliamentary scrutiny, and MPs should have a say “at the earliest opportunity”.

“The government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” Ms Harman said.

“Parliament was able quickly to agree to give the government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”

The committee also called for an independent body to oversee the app’s effectiveness, protections and public complaints. MPs suggested the creation of a new role, digital contact tracing human rights commissioner.

Members said the health secretary must review the app’s operations every 21 days, and be transparent about how data is being used.

“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” the report warned.

Isle of Wight MP Bob Seely said almost 30,000 people on the island downloaded the app within an hour of being sent official letters on Thursday morning.

“We are getting it first and we can help iron out any issues and help the tech people to refine it before it goes out to the rest of the country,“ he added.

“The more people use it, the more successful it will be.”

Giving evidence to the committee this week, the head of the unit developing it warned of “unintended consequences”.

Matthew Gould, chief executive of NHSX, said officials do not know “exactly how it will work”.

“There will be unintended consequences, there will for sure be some things we have to evolve,” he added.

“When we launch it, it won’t be perfect and as our understanding of the virus develops, so will the app.”

The report was published days after The Independent revealed that the app could be used to launch cyberattacks or to send malicious alerts causing people to isolate unnecessarily.

Unlike the apps being designed by other nations, which rely on positive Covid-19 test results, it allows users to self-report symptoms.

Dr Michael Veale, a lecturer in digital rights and regulation at University College London, said there was nothing to stop individuals “maliciously triggering notifications”.

He warned that people could “lose trust in the system” and ignore alerts if they discover false warnings were issued.

The National Cyber Security Centre (NCSC) has also raised concerns of possible cyberattacks where hackers could generate “realistic-looking proximity events” for large numbers of people.

Ian Levy, the NCSC’s technical director, said that self-diagnosis had brought “security challenges” that it was working to mitigate.

He added that removing self-reporting from the app would “make managing the disease very, very hard in the UK”.

Officials have said that if the NHS discovers a diagnosis was wrong, another alert telling people they can stop self-isolating will be sent out.

But with limited testing being carried out in the UK, it is unclear how frequently people’s declarations will be verified.

The app has generated privacy concerns because of its “centralised” system, which sends user data to a server controlled by public authorities.

Other countries, including Ireland, are using a “decentralised” model that works through individual phones and does not build a central database on how the disease is spread.

The Information Commissioner’s Office previously suggested that a decentralised approach would best protect user privacy.

Privacy campaigners have raised concerns that the app could be extended to monitor individuals’ movements and contacts, but the government emphasised that users will not need to give their names or other personal details.

Matt Hancock, the health secretary, said its purposes were “purely and simply to control the spread of the virus” and urged people to download the app.

The prime minister’s official spokesman said: “We prioritised security and privacy throughout the app’s development, with expert advice from the National Cyber Security Centre.

“Users can delete the app and its data whenever they want and we will always comply with relevant laws including the data protection act. We have also published the security and privacy designs so experts can ensure security remains as high as possible.”