Technology Law: Track and Trace is it protecting your personal data?

Is the technology up to the challenge? Should we share our personal data? Is this going to be effective? Are we exposing our personal data to hackers?

As the Covid-19 pandemic reduces in numbers of fatalities, the UK Government launched, on 28 May 2020, a new tech initiative to keep us, the public safe; this is called Track and Trace. This initiative was rolled out on the Isle of Wight on 5th May 2020 and since this time it has gone nationwide. It was successful on the Isle of Wight and therefore is still thought to be a good tech initiative to combat the deadly virus. However, the news seems to suggest it has been ineffective and underused.

What is Trace and Trace?

This is to identify those who have had close contact with a person who has tested positive with Covid-19 through a tracing service created by the UK Government. The Government has said it will take on 18,000 contract tracers and 3,000 of those will be qualified public health and clinical professionals. To conduct the task of Track and Trace these NHS Contact Tracers will be contacting and asking people, who have been exposed, to self-isolate for 14 days.

There are a few issues with this service, and one is that the tracing app itself has been delayed until the wintertime. This delay means it is not going to be able to assist controlling the pandemic swiftly and as such in the way the public had hoped it would. Its workers have admitted how it has been used only in a limited capacity and we do have to wonder who is enforcing the isolation, if at all? We also must wonder if there are any private tech companies, out there now, that could create and bring to market a new technology similar to Track and Trace to keep the UK public safe immediately? We have many clients racing to complete their testing, whereby they can help monitor a persons’ health and flag up any warning signs, without having to provide information to the government, but this takes time, money and testing capacity.

Collecting Data as you are tested.

Previously only health professionals and key workers could obtain a Covid-19 test, but now things have changed and anyone who has the classic symptoms of Covid 19, meaning a cough, high temperature, sore throat and flu-like symptoms are able to attend a testing centre and have a free Covid-19 test.

This testing system is new and was not available to the general public before or at the height of the pandemic, unlike in countries like Germany where testing has been critical to control the virus since the start of the pandemic. However, if you do attend a testing centre and test positive for Covid-19, you will be contacted by text, e-mail or phone and asked to log onto the NHS Test website. When you attend a test centre you will be required to show your ID, including giving your name and date of birth which will be taken down. So this is when your personal data will be processed by the NHS Contact Tracers going forward. By attending the test centres and having the Covid-19 test, you will be giving your explicit consent for your data to be used in accordance with the Data Protection Act 2018 and the GDPR.

This information should only be used for the purposes of track and trace and isolation, but many people are nervous as to how long this information will remain on the government system and how it will be used. However, this is for public safety and security so we perhaps need to reassure the public that their data will be used ethically and protected in law.

What is the definition of ‘Personal Data’

Personal data is defined under data protection laws, this being the Data Protection Act 2018 and the General Data Protection Regulations GDPR as stated by the EU Commission to be:

  • Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
  • Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
  • Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
  • The GDPR protects personal data regardless of the technology used for processing that data – it’s technology-neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Will your data be safe?

This data needs to be held secure, and one would hope the government having created this new process, will have wrapped it up with modern firewalls and security systems. However, with soring cyberattacks and hacking incidents, people are genuinely nervous of sharing their data and question whether it will be protected fully. The government could ease public concern by reassuring them that unlike the antiquated NHS systems of the past their new systems are robust.

On the NHS Test website, you will be asked for the following personal information, which is classed as personal data:

  • Name, date of birth and postcode of your home address
  • Who you live with, meaning the people in your household and their names
  • Places you visited recently
  • Names and contact details of people you have recently been in close contact with

People who shall be classed as close contacts are said to be:

  • people you've spent 15 minutes or more with at a distance of less than 2m
  • Sexual partners, household members or people with whom you have had face-to-face conversations at a distance of less than 1m

The contact you have as stated above must have taken place within a 9 day period, and this would start 48 hours before you develop any Covid-19 symptoms. Further, no one who is contacted via Contact Tracing will be informed of the persons' identity who has tested positive for Covid 19, this will ensure compliance with the Data Protection Act 2018 and the GDPR and would fulfil the concept of anonymised data being used, which should offer some assurance to individuals.

Protection afforded

The GDPR came into force on 25 May 2018, and we as individuals are “data subjects” as the legislation describes us, so we have a right to control and know more about our personal data and who is using and processing such data. A data subject/individual has the following rights:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

The Trace and Trace scheme is now underway and started on the 28th May 2020 without the launch of the coronavirus APP and so far to date, it has been said that 20,968 people who tested positive had been referred to the Track and Trace scheme.

The coronavirus APP was said to launch on 5th June 2020 the APP and would then be running fully by the end of June 2020, this has not happened. Then on the 18th June 2020, the Government abandoned such plans as this technology was not at a stage where it could be fully effective. Prime Minister Boris Johnson has stated that "No country in the world has a working contact-tracing APP."

So have we given up?

The APP and the Contract Tracing system which collects personal data is a data privacy issue and the question is do we, as data subjects have the right to refuse to engage, even if it is within the public interest and legitimate interest in accordance with the GDPR, or should we engage because it is for the greater good and is going to protect not just our own health but the health of the country by preventing and containing Covid 19.

Several other countries have introduced contact-tracing APPS:

  • France's app has been downloaded by two million people, although a quarter of those has since uninstalled it. The data is held on a government database
  • Germany's app has been downloaded 13 million times, out of a population of 83 million. It does not have a central database

As technology lawyers we often see how legislation is out of date and cannot keep up with the law; we see ethics and morals overridden in the name of technology and the need for data; we see the public’s concern over giving too much away and to a hackable platform, but given the current circumstances and the opportunities for our government to work with the private tech sector is this not a time to have a tech talk to the public and to talk to the government about robust security and privacy of the system?

The message is that the public and companies alike including tech companies need to be aware of the updates and movements in terms of the APP. They need to ensure it will function for the key purpose to keep people safe from Covid 19. We will all have a part to play - if people are travelling to work, employers should encourage employees, workers, and consultants to use the APP to protect themselves. We hope that all businesses will be mindful of the APP and Track and Trace as we integrate this into the new normal.

Every business and employer will need to look at their risk assessment, processes, and policies to integrate this technology to protect its staff and customers. Likewise, we as the public need to embrace the technology and cooperate to give it any chance of succeeding. To do this businesses and individuals need assurances as to the use, safety, and importance of their personal data.