Smartphone contact tracing and data privacy: the Isle of Wight experiment

On Tuesday 5 May, the government made available the trial of the NHS contact tracing app (“test, track and trace”) to residents of the Isle of Wight as the first phase of a projected national roll-out by June.

Making use of the app is voluntary. Users may download it to their smartphones to notify the health service of detected or apparent COVID-19 symptoms. The app then alerts others when the central database receives a proximity alert by way of Bluetooth Low Energy (BLE) or GPS logs from the phone of the person who has or shows the symptoms. The recipient of the alert may be advised to get tested (where possible) or to self-isolate. The app is claimed not to gather or transmit “personal data” (information that identifies or could identify living persons) when it is put into use.

Problems with the Isle of Wight trial that have already been identified include the capability of downloading of the app to certain older generation smartphones as well as the general take-up of the app on an opt-in basis, which nationally will need to exceed over 56% of the population for the app to be viable as a tool for ending the lockdown. Only about 35% of Isle of Wight residents have downloaded the app at the time this article was written

Alternative contact tracing apps

The app has been developed by NHSX, the digital innovation arm of the NHS, as a centralised system that relies on servers which are accessible to government as well as potentially to third parties. If the government implements the “NHSX app” throughout the country, concerns will intensify as to the security of the personal data it processes. The risks that are in contemplation include the possibility of intrusive governmental scrutiny and of hacking (data breach) by third parties that might make the use of the app unlawful under current data protection law.

Using BLE, which works with lower power consumption over short distances, is seen as being preferable to GPS which tracks movements and is therefore more likely to be incompatible with data minimisation principles.

An alternative to the NHSX tracing technology is the Contact Tracing Framework (CTF) that has been developed by Apple and Google. The CTF works on a decentralised basis without the need for personal data to be in any place other than users’ own phones. It also uses Bluetooth for the exchange of cryptographic tokens, or “identifiers”, which remain within the device itself when contacts are transmitted. No access is granted to any third parties to the personal data (user name, location or network account information) relating to the user.

Data protection legislation and tracking technology

Any tracking technology that involves the processing of personal data will be regulated by data protection legislation. Relevant law in the UK is primarily contained in the Data Protection Act 2018. The Act incorporates the General Data Protection Regulation (GDPR) which came into effect in the EU nearly two years ago. The use of tracing apps may constitute a significant challenge to the robustness of the GDPR and the data protection principles which apply universally government and public bodies as well as private businesses.

In the UK, data protection legislation is enforced by the Information Commissioner’s Office (ICO) which has accepted the challenge of policing the operation of the tracing apps that are put into use.

The ICO has confirmed that it is prepared to supervise the operation of tracing apps in the circumstances of the present emergency. It does not however believe that its function is to sign off the NHSX app or any app. The confirmation comes just as a complaint has been made to the European Commission that the GDPR is being compromised by lack of enforcement because of limited resources on the part of local regulators such as the ICO.

The ICO’s position on contact tracing apps

The Information Commissioner herself, in giving evidence recently to the Parliamentary Joint Committee on Human Rights, has argued that it is impractical to set up any new overseeing authority. NHSX has committed itself to ICO oversight and the Information Commissioner anticipates that NHSX will soon issue a Data Protection Impact Assessment (DPIA) and a privacy notice.

The ICO has a marginal preference for a decentralised tracing app such as a version of the CTF. It has now published a statement of its position, explaining the need for the DPIA to be finalised prior to implementation of any tracing app that is adopted on account of “the high risk to the rights and freedoms of individuals”.

The statement sets out the principles of transparency concerning purpose, design choice and benefits of the app, which must collect the minimum amount of personal data that is necessary to protect all users of the app and give them control over how it is used. Personal data collected must only be retained for a minimum amount of time and be securely processed at all times. The app must not undermine privacy by imposing further usability requirements but enhance privacy wherever it can. These are basic essentials that should reveal how NHSX will deal with the processing of data in such a way to demonstrate compliance with the GDPR. This is important if public trust of the app is to be established. But even if they are implemented to the letter, will they be sufficient?

Privacy concerns

Academic opinions were also given to the Human Rights Committee. They generally supported the need for new legislation to implement the need for data minimisation, limited purpose (no “mission creep”), transparency and the need to ensure that public adoption of the app must always be voluntary. The academic experts advocated the CTF as a preferable alternative since it is decentralised and not open to government misuse at the expense of civil liberties and human rights or easily susceptible to cybercrime.

The Committee concedes that the NHSX app could be useful to help mitigate the effects of the lockdown, but in its present form it does not protect privacy sufficiently well and could be unlawful. It now favours new laws that go beyond the GDPR as an essential requirement to win trust and confidence in the technology behind the app.

The way the NHSX app works has given rise to concerns from privacy campaigners. Foxglove has questioned whether data privacy and equality legislation offer sufficient legal protection to the public. The Open Rights Group has gone so far as to allege that the government has been “proceeding unlawfully with its trials”.

Matthew Ryder QC, Edward Craven and others of Matrix Chambers, one of the leading set of human rights barristers, were instructed by the Open Society Foundations to provide an opinion on the legal concerns relating to smartphone tracing. The issues in the main relate to compliance with data protection legislation and human rights law. The opinion concludes that a decentralised system such as the CTF is more likely to comply with data protection and human rights law.

There is so far insufficient justification of the legal basis of processing data through the NHSX app. The expected DPIA should be made public.


The NHSX app is open to abuse but may have the advantage of allowing central compilation of anonymous data to enhance strategies that would improve social distancing. However, the possibility is lost if the Isle of Wight trial fails through lack of public trust, the absence of wide take-up, or indeed the availability of testing of alerted users on demand.

A decentralised app such as the CTF has been widely employed in the EU and elsewhere and would be a less privacy-compromising technology that would be unlikely to require the passing of new laws in the present emergency situation.

Implementation of a suitable contact tracing app is an unfolding situation. At the very least, the legitimacy of the centralised NHSX app will depend heavily on the fitness for purpose of the GDPR if it is decided that there is no necessity to pass further laws to legitimise the use of the app in the Isle of Wight and nationwide.
It will be interesting to see what the next developments will be and whether present data protection law is adequate to meet the challenge.

If you have any concerns with respect to downloading the NHSX app or if you need advice on the protection of your personal information, please contact any member of our Commercial team.