The Covid-19 Contact Tracking App
People are baffled by the COVID-19 Contact Tracking App, from how it will work to how safe their data will be.
The app aims to quickly trace recent contacts of anyone who tests positive for the virus and is part of the government's strategy for coming out of lockdown and staying one step ahead of the virus. The aim is to have widespread testing and contact tracing in place to monitor and reduce any future outbreaks.
At Xynics we are all Data Protection Practitioners, and all could see the potential concerns that some people could have, however knowing and understand the application of the law and the technology, the app is not in contravention of our data rights nor is it unlawful.
One of the first things to say is that using the app is voluntary and you can delete the app and all of its data whenever you want. It won’t store anything that identifies the individual unless the user gives permission and location data only stored with a further Opt-In consent.
How the App will work
The app is free and simple to use. Once you’ve downloaded the app, Bluetooth technology on your phone will record the distance between other phones that also have the app installed. (Bluetooth tracking will work as long as the app is running, even if it’s in the background).
The app will not impact on the performance of other apps on your phone. It will also work alongside all other Bluetooth features in the background.
If you become unwell with symptoms of coronavirus, you inform the app.
The app will then:
- anonymously warn other app users who have been near you – and send them official NHS advice on what to do next, (this alert should be within 4 hours).
- provide you with advice from the NHS on the right action to take to help stop the virus spreading further
- If necessary, direct you to your nearest test centre
It is hoped that the app will complement more traditional measures that, seamlessly working together, protects vulnerable groups and those who cannot or do not want to access digital tools.
Although the app records distances between individual phones, it will not measure your location. The data in the app will only ever be used for NHS care, management, evaluation and research.
What Phone will it work on
The app can currently be downloaded for Apple (iOS versions 11 and higher) and Android (versions 8 and higher) smartphones. They are working on supporting earlier versions of these operating systems, as well as additional operating systems in future where possible.
Your phone must have Bluetooth enabled in order for it to work.
As always privacy and data security are crucial to the NHS. The NHSX - the part of the health service that developed the app has said as part of their commitment to transparency, they will publish the key security and privacy designs alongside the source code.
The Information Commissioner’s Office has said that it will rigorously police the UK contact tracing app to ensure that the privacy rights and freedoms of individuals are not compromised. According to the ICO’s official statement, “People must have trust and confidence in the way personal data is used to respond to the COVID-19 crisis. The ICO also recognises the vital role that data can play in tracking the pandemic and the need to act urgently. We have been working with NHSX to help them ensure a high level of transparency and governance”.
To work, NHS COVID-19 randomly generates a random, unique ID for the app on your phone, the ID is fixed but encrypted with a random key pair which is synced with the server, this key pair will change every day on most phones, and every 15 minutes on Apple based phones, so your phone can’t be compromised but the NHS know which device has which fixed ID and only they can decrypt it.
The app then records:
- how long you are close to another anonymous app use
- the date and time of these encounters
- the signal strength of other anonymous app users’ Bluetooth, to work out how far apart you were from them.
This data will remain on your phone and cannot be accessed by anyone unless you choose to upload it if you later develop symptoms of coronavirus.
If you develop coronavirus symptoms and choose to share the anonymous record on your phone with the NHS, this data will be stored in a secure database in the UK.
The NHS will then send an anonymous alert to app users who you came into significant contact with over the previous few days. This alert will not identify you in any way.
Why the app asks for your postcode
The NHS COVID-19 app only uses your postal district. This is the first part of your postcode, for example “PE12”. This generally contains about 8,000 addresses. It will not provide a precise location as to where you live.
Why your postal district will help the NHS:
- The NHS will use the app to predict and manage demand on local hospital services
- provide tailored advice to people living within a hotspot area if necessary
- improve the ‘contact risk model’ that determines which app users should be notified when an app user develops coronavirus symptoms
Additional location data will only be recorded if users agree to a further opt-in request.
The app on your phone will keep a log of anonymous contact data for a maximum of 28 days. After 28 days, this information will be deleted.