Written evidence from the Equality and Human Rights Commission (COV0157)

the privacy implications of the NHS test and trace service

Introduction

  1. The Equality and Human Rights Commission has statutory authority to advise Government on equality and human rights implications of existing and proposed legislation, and can publish information and advice on equality and human rights matters.

 

  1. We support the primary role of Government in the current context: to keep people safe and protect our future, whilst ensuring respect for human rights. We recognise that the NHS Test and Trace service has the potential to play a key role in allowing the safe resumption of economic activity and social contact, while also protecting the rights to life and health.[1] While some interference with the right to private and family life[2] may be justified in the pursuit of this goal, it is crucial that this does not extend beyond what is proportionate and necessary to protect life and public health.[3]

 

  1. We support the Committee’s existing recommendations on the implications of the NHSX contact tracing app and consider many of these remain relevant subsequent to the announcement in June that the app will be reconfigured to use a decentralised system.[4] We have identified a number of concerns related to the manual Test and Trace service and the use of any future contact tracing app, and have made our own recommendations for addressing these issues below.

Manual Test and Trace service

  1. The Government launched the NHS Test and Trace service on 28 May, using human contact tracers to identify and control the spread of the virus.[5] Personal information about those who test positive[6] is provided to contact tracers by hospital and laboratory reports sent to Public Health England (PHE). Infected individuals are then contacted and asked to provide the contact details of anyone with whom they have been in close, recent contact.[7]

 

  1. Personally identifiable information of people who have Covid-19 symptoms and their contacts are kept by PHE for eight years[8] and five years respectively. The NHS states that data needs to be retained for this long because Covid-19 is a new disease and it may be necessary to control future outbreaks or to provide any new treatments.[9] We are concerned that the stated purpose for retaining personal data for these periods is vague. No explanation is provided for why the data of symptomatic individuals (who may in fact test negative for Covid-19) is retained for a longer period than people without symptoms (who may have Covid-19 but be asymptomatic). The General Data Protection Regulation (GDPR) stipulates that the processing of personal data should be limited to what is necessary in relation to the specified purpose,[10] and that data must be erased as soon as it is no longer necessary for that purpose[11] - in this case Covid-19 contact tracing.[12] We urge the UK Government to clarify and justify the specific types of data that will be retained by the NHS Test and Trace service, the purposes for retaining each type of data, and the retention period for each type of data.

 

  1. The NHS Test and Trace service was reportedly deployed without the NHS or PHE conducting a Data Protection Impact Assessment (DPIA).[13] The GDPR requires that a DPIA is carried out where the processing of data is ‘likely to result in a high risk to the rights and freedoms of natural persons’[14], which includes financial loss or any other significant economic or social disadvantage.[15] Given the scale of the Test and Trace service and the sensitive data collected, combined with the impact on rights and freedoms that arise from being asked to self-isolate for 14 days,[16] it is likely that the programme meets the threshold to require a DPIA under the GDPR.[17] The NHS and PHE must urgently complete and publish a Data Protection Impact Assessment for the overall NHS Test and Trace Service, as required by the GDPR.

 

  1. A number of private companies are involved in the NHS Test and Trace service, including Serco UK, which is providing contact tracing staff.[18] Prior to the launch of the Test and Trace service Serco UK reportedly accidently shared the email addresses of 296 newly recruited staff members, raising concerns over the company’s data handling practices.[19] Given that Serco UK also has a contract with the UK Government to provide border control and immigration services,[20] we are concerned that sensitive data collected in the course of the Test and Trace programme could be shared – intentionally or otherwise – for immigration enforcement purposes. The Government must ensure that all private companies involved in the Test and Trace service are GDPR compliant and fully aware of their obligations not to use data collected by the Test and Trace service for any purpose other than Covid-19 contact tracing.

 

  1. The New Policy Institute and Race Equality Foundation have highlighted concerns that the NHS Test and Trace service does not adequately encourage ethnic minorities to come forward for testing, citing previous experience illustrating that screening programmes for particular cancers have been less effective in reaching ethnic minority communities.[21] We urge the Department of Health and Social Care to make NHS Test and Trace information available in multiple languages, work with locally-based trusted intermediaries to better encourage ethnic minorities to come forward for testing, and provide advice on the economic, social and cultural implications of a positive test. For example, the Government should engage, support and build trust with organisations that represent Gypsy, Roma and Traveller communities, and produce specific guidance that reflects differences in living arrangements, and any specific challenges in self-isolating following a positive test.[22]

 

  1. Women’s Aid has raised concerns that NHS Test and Trace could have unintended negative consequences for survivors of domestic abuse. Perpetrators could use the service to make fraudulent claims that they have been in contact with survivors in order for them to be asked to self-isolate unnecessarily. Contact tracers could also inadvertently share with an abuser the contact details of a survivor who has left them.[23] The Department for Health and Social Care should ensure that all contact tracing staff receive robust training on domestic abuse as part of their wider safeguarding training. This should be developed with domestic abuse specialists and include how to speak to survivors safely, an understanding of the means in which perpetrators could manipulate the system, and the risks associated with disclosing contact information between those already personally connected.[24]

 

  1. Disabled people’s organisations have raised concerns about the accessibility of the NHS Test and Trace service, noting that no mention has been made of the specific needs disabled people may have during the process. Among other issues, organisations have raised questions about how a deaf or disabled person can alert the service to their communication needs, the availability of testing and tracing information in different accessible formats, including British Sign Language, and reasonable adjustments at testing sites.[25] The Test and Trace service must make use of a range of contact methods and ensure all information is available in accessible formats so that the service does not exclude disabled people. All contact tracing and testing staff should receive deaf and disability awareness training and reasonable adjustments should be in place to allow disabled people access to testing sites.

 

Contact tracing app

  1. We welcome the Government’s recent announcement that it will develop a contact tracing app based on technology developed by Google and Apple.[26] Unlike the original contact tracing app proposed by the Government, the Google and Apple software is based on a ‘decentralised’ model which ensures that exposure notification data is stored and processed on individual devices, rather than a central server.[27] This approach is more likely to build trust among marginalised communities[28] and comply with data protection laws, representing a more proportionate – and therefore more likely lawful – interference with the right to private life.[29]

 

  1. Though the decision to use a decentralised app is a positive step, it remains crucial that effective privacy safeguards are put in place to prevent the app being used for any means other than controlling the spread of Covid-19, and we continue to support the Committee’s recommendations in this regard.[30] In addition to producing a DPIA for the overall NHS Test and Trace service, we urge the Government to adopt primary legislation, such as the draft Bill provided by the Joint Committee on Human Rights, which will provide additional privacy protections and safeguards ahead of the launch of any future contact tracing app.

 

  1. Information regarding how data collected by the app will be used must be accessible and clear to all age groups, including children.[31] Children are at particular risk of having the app downloaded onto their phone by a parent or guardian without their consent.[32]  The NHS must ensure that all functions of the Test and Trace service comply with child safeguards provided by the GDPR, and are discharged with regard for the need to promote the welfare of children, in line with the Children Act 2004[33] and the UN Convention on the Rights of the Child.[34]

 

  1. Women’s Aid has raised concerns that the contact tracing app could put survivors of domestic abuse at risk of being tracked by their abusers. While the proposed contact tracing app itself will rely on Bluetooth rather than location data, Women’s Aid is concerned that in order for Bluetooth to work on Android phones location services have to be switched on. If a perpetrator has uploaded spyware onto a survivor’s phone or is able to hack into it, then turning on location data may expose their location to their abuser.[35] Before launching any future contact tracing app the NHS must ensure that that the app never requires location services to be enabled, regardless of the make and model of phone.[36]

 

  1. Privacy organisations have raised concerns that although installation and use of the app is intended to be voluntary, employers may place pressure on employees to use the app as a condition of work, or businesses could stipulate that access to their premises or services are conditional on use of the app.[37] Primary legislation should be enacted prohibiting use of any future contact tracing app becoming the basis for selection in employment or access to business premises or services.

 

  1. Consideration will need to be given to ensuring access to the app for different groups. A poll carried out by The Health Foundation and Ipsos Mori has revealed a significant divide in terms of likelihood to download and use the app along the lines of occupation, education level and age.[38]

 

  1. Consideration will also need to be given to potential unintended impacts on some groups. The Health Foundation has warned that the app may send false alerts to people who live in densely populated settings, where Bluetooth signals could be detected through thin walls without any face-to-face contact.[39] This risks having a disproportionately negative impact on people from lower socioeconomic backgrounds and ethnic minorities, who are more likely to live in overcrowded accommodation.[40] It could also have financial implications for those who are unable to work from home and are in low paid or insecure employment, who risk loss of income if they are repeatedly asked to self-isolate. Young workers, women and certain ethnic minorities are overrepresented in precarious and low paid roles.[41] In addition, pregnant women’s entitlement to Statutory Maternity Pay could be affected if they have to self-isolate with no income.[42] Before launching any future app the Government should publish an Equality Impact Assessment identifying segments of the population who may be digitally excluded from the health benefits offered by the app or disproportionately impacted by false or repeated alerts. Rectifying these issues will increase the efficacy of the app, further protecting public health and ensuring respect for the right to private life. 

 

14/07/2020

8

 


[1] Article 2, European Convention on Human Rights (ECHR); Article 6 International Covenant on Civil and Political Rights (ICCPR); Article 12 International Covenant on Economic, Social and Cultural Rights (ICESCR).

[2] Article 8 ECHR; Article 17 ICCPR; Article 16 Convention on the Rights of the Child (CRC).

[3] According to the UN Human Rights Committee, in order to be proportionate, restrictive measures “must be appropriate to achieve their protective function; they must be the least intrusive instrument amongst those which might achieve the desired result; and they must be proportionate to the interest to be protected”. Furthermore, “In no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right.” See Human Rights Committee (2004), General Comment No. 31: Nature of the General Legal Obligation Imposed on States Parties to the Covenant; and Human Rights Committee (1999), General Comment No. 27: Article 12 (Freedom of Movement); United Nations (April 2020), Covid-19 and Human Rights: We are all in this together, p. 16

[4] Joint Committee on Human Rights (7 May 2020), Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing; Department of Health and Social Care (18 June 2020), Health and Social Care Secretary’s statement on coronavirus (COVID-19): 18 June 2020; BBC News (20 June 2020), Coronavirus: What went wrong with the UK’s contact tracing app?

[5] Department of Health and Social Care (27 May 2020), Government launches NHS Test and Trace Service.

[6] This includes name, date of birth, sex, NHS number, home postcode, house number, telephone number, email address and Covid-19 symptoms, including when they started and their nature.

[7] Close, recent contacts are contacted and asked to confirm or provide their full name, date of birth, contact details and details of any Covid-19 symptoms they may have had. See NHS (9 June 2020), NHS Test and Trace Privacy Information; Department of Health and Social Care (27 May 2020), NHS test and trace: how it works.

[8] Following legal proceedings by Open Rights Group and Ravi Naik, PHE has reportedly agreed to amend the previous twenty year data retention period for people with Covid-19 symptoms to eight years. See Big Brother Watch (June 2020), Emergency Powers and Civil Liberties Report [June 2020], p. 48

[9] NHS (9 June 2020), NHS Test and Trace Privacy Information.

[10] Article 5(1)(c), GDPR.

[11] Article 17(1)(a), GDPR.

[12] NHS (9 June 2020), NHS Test and Trace Privacy Information.

[13] Politico (28 May 2020), UK ‘test and trace’ service did not complete mandatory privacy checks; Wired (3 July 2020), Government faces court over NHS Test and Trace privacy failings.

[14] GDPR, Article 35.

[15] GDPR Recitals, Recital 75.

[16] Including the right to free movement (Article 12 ICCPR), freedom of assembly (Article 11 ECHR, Article 21 ICCPR), the right to a private and family life (Article 8 ECHR, Article 17 ICCPR) and the right to manifest religion or belief, including in worship (Article 9 ECHR, Article 18 ICCPR).

[17] Open Rights Group (4 June 2020), ORG demands Government act to secure ‘track and trace’ data; Mathew Ryder QC, Edward Craven, Gayatri Sarathy and Ravi Naik, Matrix Chambers (3 May 2020), Covid-19 & Tech responses: Legal opinion, para. 40.

[18] NHS (9 June 2020), NHS Test and Trace Privacy Information.

[19] The Guardian (20 May 2020), Serco accidentally shares contact tracers’ email addresses.

[20] Serco, Border control and immigration services.

[21] New Policy Institute and Race Equality Foundation, Evidence into Action; A review of the report by Public Health England into disparities in risks and outcomes of COVID-19 between ethnic groups by level of deprivation, p. 12.

[22] Friends, Families and Travellers (2020), Stay at Home: Guidance for Gypsy, Traveller and Liveaboard Boater Households with Possible Coronavirus (COVID-19) Infection’ and ‘Covid-19: Efforts to support gypsies and travellers in England must go further’.

[23] Women’s Aid (2020), Covid-19 Test, Trace and Tracking: The impact on survivors.

[24] This has been recommended by Women’s Aid. See: Women’s Aid (2020), Covid-19 Test, Trace and Tracking: The impact on survivors.

[25] Reasonable Access (11 June 2020), Open letter asking about accessibility of the entire COVID-19 Test and Trace system; Action on Hearing Loss (2020), Government’s new NHS Test and Trace programme needs to be accessible to all.

[26] Department of Health and Social Care (18 June 2020), Health and Social Care Secretary’s statement on coronavirus (COVID-19): 18 June 2020.

[27] Apple and Google (May 2020), Exposure Notification Frequently Asked Questions v1.1.

[28] This includes migrant communities and other groups who may be reluctant to interact with government agencies. See Foxglove, Joint Council for Welfare of Immigrants, Liberty, Medact, Open Rights Group, Privacy International (28 May 2020), Open letter: NHSX app safeguards for marginalised groups.

[29] Mathew Ryder QC, Edward Craven, Gayatri Sarathy and Ravi Naik, Matrix Chambers (3 May 2020), Covid-19 & Tech responses: Legal opinion, para. 64.

[30] Joint Committee on Human Rights (7 May 2020), Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing

[31] Article 12(1), GDPR.

[32] Unicef (June 2020), Digital contact tracing and surveillance during COVID-19, pp. 16 and 22

[33] Section 11, Children Act 2004.

[34] Articles 3 and 16, CRC.

[35] Women’s Aid (2020), Covid-19 Test, Trace and Tracking: The impact on survivors.

[36] This has been recommended by Women’s Aid. See: Women’s Aid (2020), Covid-19 Test, Trace and Tracking: The impact on survivors.

[37] Open Rights Group, Article 19, Index on Censorship (22 May 2020), Response to the JCHR draft Digital Contact Tracing (Data Protection) Bill, p. 3.

[38] The poll found that 73% of people in managerial, administrative or professional jobs say they are likely to download the app, while this figure falls to 50% when it comes to routine and manual workers, state pensioners and the unemployed. One in five people aged 65 or older reported not owning a smartphone and therefore being unable to download any future app. See: The Health Foundation (3 June 2020), Contact tracing app threatens to exacerbate unequal risk of COVID-19.

[39] The Health Foundation (3 June 2020), Contact tracing app threatens to exacerbate unequal risk of COVID-19.

[40] Equality and Human Rights Commission (2018), Is Britain Fairer?.

[41] Department for Business, Innovation and Skills (2018), The characteristics of those in the gig economy; Recent analysis shows that BME women are three times more likely to be in precarious work and

are therefore unlikely to qualify for either SSP or furlough; Women’s Budget Group (April 2020) Crises

Collide: Women and Covid-19.

[42] Working Families (2020), Weathering the storm: the COVID-19 pandemic and working parents, p. 6