NHS app Users’ facial verification data stored by company linked to Tory donors
The NHS app is collecting and storing facial verification data from UK citizens, causing concerns about transparency and accountability. The data collection is taking place under a contract with a company linked to Tory donors called iProov, awarded by NHS Digital in 2019, which has yet to be published on the government website.
Privacy campaigners say the opacity of the relationship between iProov, based in London, and the government raises questions about how securely the information is held. One said they were “deeply concerned” about the secrecy surrounding the use of data.
The NHS confirmed law enforcement bodies could request data, but said a panel reviewed such requests in light of the health service’s duty of confidence.
The number of users reached 10 million this year after the app was adapted to act as a Covid passport. It can be used to access medical records and book GP appointments, and to obtain vaccine status certificates, for example for travel.
The app asks some users for video facial verification by default, although it is possible to opt out. The process involves new users recording a video of their face, which is sent to iProov. The firm compares the facial data with anonymised photo IDs already held by the government. Its software beams a one-off sequence of colours at the user’s face, through their phone, to ensure they are present during verification.
The app also asks users to upload their date of birth, postcode, phone number and a photo of either their passport or driver’s licence. Only a photo clipped from the ID document is supplied to IProov.
NHS Digital and iProov emphasised that app users’ biometric data was anonymised and guarded by the best possible security protection. IProov said its customers implemented a “privacy firewall” so it had no visibility of the identity of the people it verified, apart from their faces.
NHS Digital said it had not published its contract with iProov “for security reasons”. This was also why it had notpublished a data protection impact assessment of the NHS app, the document that explains how individuals’ information will be used, stored and protected. IProov said it could not disclose how long it held facial data. The NHS said the information was “not stored for longer than is necessary under the contract”.
An expert in surveillance law said such information was likely to be desirable to UK and foreign intelligence services. “If GCHQ acquired it and it was of use, the likely position is they would share that with the [US] National Security Agency,” they said.
Jake Hurfurt, of the civil liberties group Big Brother Watch, said: “We’re deeply concerned by the secrecy surrounding facial verification and data flows in the NHS app, particularly given the involvement of a private company.
“It raises questions about how private and secure anyone’s information is when using facial verification and the NHS login. Anyone who sends personal information to a private company, at the encouragement of the NHS, has a right to know exactly what happens to their data.”
Dr Stephanie Hare, author of Technology Ethics, said: “Transparency, explainability and accountability are the holy trinity of technology ethics and they fall down on every one of them.”
IProov is linked to Conservative donors. It has received financial backing from the private equity group JRJ, which has a seat on the board after investing in 2015 and 2019, the year iProov won its first NHS contract.
JRJ counts two Tory party benefactors among its three partners. One, Jeremy Isaacs, a former Lehman Brothers executive, made 26 donations totalling £661,500 between June 2006 and February 2021.
A fellow JRJ partner, Roger Nagioff, donated 15 times between May 2004 and February 2020, giving £448,500. JRJ did not comment, but a source familiar with its investment said it owned less than 10% of iProov and was not involved in the NHS contract.
IProov won its contract to provide facial verification software to the NHS during a drive to digitise the health service. While the contract hasn’t been published, documents on the government’s “digital marketplace” website show that it typically charges an annual service fee of up to £1.4m and a cost per user of £1.50. The NHS said it had secured a discount.
NHS Digital said: “We use facial verification software when people decide to use the app to access their confidential patient data, as part of the high-level NHS login identity verification process which is clearly explained to app users. This means people using the app can trust that their data will be safe and secure.”