Why Covid-19 app needs privacy guarantees
The app should only be used for health purposes and should be subject to independent oversight, argues Les Allamby
❝ Our right to privacy is qualified and can be interfered with, but only in specific circumstances
❝ A contact tracing app will only work if it wins the confidence and trust of people in Northern Ireland
IN December 2016 Professor Joe Cannataci, the UN Special Rapporteur for privacy in the digital age, spoke at the launch of the NI Human Rights Commission’s annual statement in Belfast. He started by asking how many in the audience were in favour of electronically tagging and tracking the whole population aged 12 years and over. No one put their hands up.
His second question was how many people owned smartphones. Almost everyone’s hands went up. Well, he pointed out, you can be tracked whether you like it or not, regardless of turning your phone on or off.
In a nutshell this sums up our contradictory approach to privacy. We value our privacy, yet rely too much on smartphones and other devices to think too deeply about it. Moreover, who has time to read the page after page of complex information about privacy put out by tech companies before ticking ‘Yes’ and agreeing to hand over our personal data?
This issue is about to be thrown into sharp relief as both Britain and Northern Ireland are looking at a contact tracing app as one way of controlling the spread of coronavirus. In effect, an app is downloaded on a person’s smartphone and will store the data of any other person’s smartphone when it is within a defined proximity for a specific period of time.
If a person tests positive for
coronavirus, then the app notifies all the other contacts that they may themselves have been infected. This allows those people to be offered advice — for example, to get tested or self-isolate. It can potentially minimise the spread of the virus.
A centralised app (NHSX) is being trialled on the Isle of Wight. As it happens nine of my family live there. Four have downloaded the app, including a sister and niece who work in a care home and for the NHS respectively. Five relatives have not — their reasons have nothing to do with privacy concerns, rather they reflect age, poor health and technological abilities.
These family members are among the individuals most vulnerable to the impact of the coronavirus pandemic. As a result there are issues of both practice and principle at stake.
So, how do we balance the potential benefits alongside privacy safeguards? The Westminster Joint Select Committee on Human Rights has just published a report offering a rights-based route to approaching the issue. The report recognises the Government’s responsibility to protect life under Article 2 of the European Convention on Human Rights and the legitimacy of developing a contact app.
Meanwhile, it also highlights Article 8 of the Convention and our right to privacy and family life. This right is a qualified right and can be interfered with, but only in very specific circumstances. In practice any interference must be set out in law and can, among other reasons, be to protect health and public safety. The interference should be proportionate and be no more than is required to deal with preventing the spread of coronavirus.
The Select Committee concludes that privacy and other human rights protections should be placed in legislation with independent oversight and regular reviews of progress built in.
The legislation would enshrine the clear and limited purpose of the app, that the data should not be accessed for any other reason or shared with third parties. Further, the data should only be held locally on a person’s phone and must be automatically deleted every 28 days.
Legislation could also create a duty that personal data held centrally must be subject to the highest security protections
and standards. Other human rights considerations involved will include non-discrimination in the areas of immigration and employment. In a highly unusual move, the Select Committee have taken the decision to publish a draft Bill, reflecting how strongly it feels about the need for statutory safeguards.
The report also canvasses the question of whether a centralised approach, where data is shared by a central server managed by the NHS, is better for privacy than a decentralised model where most data is stored locally on a person’s phone, sharing as little data as possible with the NHS.
To date Government is piloting its centralised NHSX model, arguing that it provides greater scope for data analysis, though there is a debate inside
Government in London about the effectiveness of the NHSX app and privacy issues.
The report also notes that in Northern Ireland there will be specific issues around coordination within the UK and Ireland. The Irish Government has opted for a decentralised system that has been used in the majority of other countries to date. Ensuring effective compatibility will be one of the delicate practical and political conundrums to eventually land in the in-trays of Northern Ireland Executive ministers.
A contact tracing app will only work if it wins the confidence and trust of people in Northern Ireland. Part of winning that trust will be about openness with the public, including providing statutory safeguards, independent oversight and regular review.
To date legislation is not the Westminster Government’s preferred route. In this case reassuring words from a lectern will not be enough.
In addition, a strategy needs to be put in place for individuals who, because of their age, health or other circumstances, cannot or will not use the app. The manual contact tracing of those with positive tests for the virus outlined by Robin Swann is a good start.
Harnessing technology for our benefit during the pandemic is welcome but must not be at undue expense of our right to privacy.
That is why the Select Committee approach is so commendable.
Les Allamby is Chief Commissioner of the NI Human Rights Commission