Written evidence from the Open Rights Group (COV0127)

 

S0. Executive summary

1.    Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK.

2.    This submission is in response to the Joint Committee on Human Rights Committee (JCHR) call for evidence on the The Government’s response to COVID-19: human rights implications. In particular we raise concerns about the impact of the centralised model of data collection in the NHSX app with regard to marginalised and vulnerable groups.

3.    We call on the government to either change from a centralised to a decentralised model of data collection in the new NHSX app or adopt legal safeguards. We also recommend specific areas for the JCHR to take action.

S1. Open letter: NHSX App Safeguards For Marginalised Groups

 

ORG along with Medact, the Joint Council for the Welfare of Immigrants (JCWI), Liberty, Privacy International and Foxglove published an open letter on 28 May 2020. The letter raises awareness about the impact the centralised model of data collection employed in the NHSX App will have on marginalised and vulnerable groups.[1]

 

The letter  was sent to the Secretary of State for Health and Social Care and the Home Secretary in order that our concerns about the participation of vulnerable groups in the Track and Trace App be addressed.

 

We are concerned that using a centralised contact matching system with more invasive data collection than a decentralised model will affect the take-up and public trust required to make the NHSX app a success. And that marginalised and vulnerable groups, are not adequately considered in the development of this app, nor legal and technical safeguards provided. This includes, but is not limited to: people whose immigration status may be irregular, such as undocumented migrants and individuals whose visas have expired, failed asylum seekers receiving Section 4 support, people with NRFP (no recourse to public funding), asylum seekers who are appealing a decision, people awaiting visa extensions, or others who may be in a situation of a legal uncertainty. These concerns can also be shared by a much wider set of migrants and ethnic minorities, who have every legal right to be in this country but will be reluctant to entrust the app with their private data without clear safeguards and guarantees.

 

We have not yet received a response to these concerns. If the Government moves ahead without addressing them, we fear that either the data gathered via the NHSX app will be incomplete or pockets of exclusion may appear. Both of these outcomes create risks to public health and may undermine other efforts to tackle the spread of the virus. We believe the Committee can play a pivotal role in holding the government to account and push them to deal proactively with these concerns.

 

S2. NHS Track and Trace programme

Similar concerns will need to be raised about the wider Track and Trace programme. This has been rushed out without a data protection impact assessment, and states that data will be retained for 20 years. Additionally, security concerns have been raised.

We are concerned also that the Information Commissioner has not yet acted to push the Government to deal with any of these concerns before tools and programmes are launched. We have submitted detailed evidence about the ICO’s poor performance and inability to enforce data protection rules to the DCMS Committee and will supply further detail to this Committee in due course.

 

S2. Recommendations to the Committee

1.    The Committee should call on the government to consider switching to a decentralised model with identifiers that change with greater frequency. This model has been found to be more likely to comply with both human rights and data protection laws and to enhance trust.

2.    If the Government continues with the centralised model, the Committee should ask the Government to:

1)   conduct a Vulnerability and Risk Assessment and put in place mitigation strategy and measures ensuring marginalised and vulnerable people are not excluded;

2)   clarify who holds the collected data, who has access to it, how it will be shared between the platform and private and government agencies. Also, set clear purpose limitations for its use and to avoid function creep. Under no circumstances should the immigration exemption contained in paragraph 4 of Schedule 2 to the Data Protection Act 2018 be relied upon for any processing of/ requests for personal data relating to the contact tracing app.

3)   Provide guarantees that data shared through the contact tracing app will not be used to deny access to public services or for the purposes of immigration enforcement. These guarantees must be in the form of legal safeguards, such as, but not exclusively, the ones included in the ‘Digital Contact Tracing (Data Protection) Bill’ promoted by the Joint Committee on Human Rights; and through technical safeguards, such as a “firewall” – which will ensure personal information collected by the app will never be shared with the Home Office for immigration enforcement purposes.

3.    The Committee can raise the data protection concerns over the Track and trace programme in the same light, to ensure that privacy and data protection are maximised. In particular, the security risks, lack of a Data Protection Impact Assessment, the lack of clarity on data sharing and the 20 year data retention period should be raised by the Committee.

 

Appendix: Open Letter

 

May 28, 2020

To:

The Secretary of State for Health and Social Care

The Home Secretary

We are civil society organisations and privacy advocates writing to express concerns that the NHSX app being developed as a response to the Covid-19 pandemic, is using a centralised contact matching system with more invasive data collection than a decentralised model.

Contact tracing is a fundamental part of epidemiology going back to the field’s founder, John Snow, and we agree that it is an essential part of managing this pandemic to be undertaken along with mass testing and quarantine measures. Contact tracing must be designed and implemented as part of a broader comprehensive public health framework to be successful and effective to serve the public health needs.

Widespread public trust and take-up are crucial to ensure the contact tracing app is downloaded and installed in the necessary numbers to ensure the measures are effective. In this regard, transparency and respect for privacy and other fundamental rights are essential elements in securing that trust and cooperation. This is upheld also by the World Health Organisation which states that the ethics of public health information, data protection, and data privacy must be considered at all levels of contact tracing activities and that contact tracing measures should not be associated with security measures, immigration issues, or other concerns outside the realm of public health.1 In this regard, we call on the government to particularly consider the impact this technology will have on marginalised and socially excluded people.

A range of groups and individuals in precarious situations may be unable or unwilling to use the technology for a variety of reasons. They may be facing significant material deprivation, lack access to mobile technologies or have devices that do not support the app, be socially excluded and marginalised, be reluctant to interact with governmental agencies or technologies and worried about data sharing.2 These concerns are reinforced by the hostile environment policy, which has eroded overall trust between ethnic minorities, migrant communities and the Home Office.

Considering these factors, among our concerns are that either the data gathered via the NHSX app will be incomplete or pockets of exclusion may appear. Both of these outcomes create risks to public health and may undermine other on-going legitimate and necessary efforts to tackle the spread of the virus, while at the same time further enhance discrimination practices certain population groups are already experiencing.

Therefore, we call on the government to consider switching to a decentralised model with identifiers that change with greater frequency, which has been found to be more likely to comply with both human rights and data protection laws and to enhance trust.

If the government continues with the centralised model, we call for it to:

      Publish its assessment of risks and mitigations for vulnerable and marginalised groups.

      Clarify who holds the collected data, who has access to it, how it will be shared between the platform and private and government agencies. Also, set clear purpose limitations for its use and to avoid function creep. Under no circumstances should the immigration exemption contained in paragraph 4 of Schedule 2 to the Data Protection Act 2018 be relied upon for any processing of/ requests for personal data relating to the contact tracing app.

      Provide guarantees that data shared through the contact tracing app will not be used to deny access to public services or for the purposes of immigration enforcement. These guarantees must be in the form of legal safeguards, such as, but not exclusively, the ones included in the ‘Digital Contact Tracing (Data Protection) Bill’ promoted by the Joint Committee on Human Rights; and through technical safeguards, such as a “firewall” – which will ensure personal information collected by the app will never be shared with the Home Office for immigration enforcement purposes.

      Such safeguards also need to be accompanied by a clear communication campaign from the government and the NHS focused on communities to create much needed trust and confidence in the NHSX app.

This is important to ensure fundamental rights are protected during the pandemic and as new measures are introduced post-lockdown. It is also essential to ensure both trust in and take-up of the planned measures and ultimately to make them successful in helping to contain the Covid-19 pandemic.

We would appreciate a response as soon as you are able to and before the app is launched.

Signed (in alphabetical order),

Foxglove

Joint Council for the Welfare of Immigrants

Liberty

Medact

Open Rights Group

Privacy International

1 https://www.who.int/publications-detail/contact-tracing-in-the-context-of-covid-19

2 https://privacyinternational.org/long-read/3752/coronavirus-tracking-uk-what-we-know-so-far

 

04/06/2020


[1]https://www.openrightsgroup.org/publications/open-letter-nhsx-app-safeguards-for-marginalised-groups/