We’ve extensively covered how 🛡 coronavirus contact tracing apps pose a threat to privacy and civil liberties. We’ve also discussed how the UK’s centralized approach, in particular, is not only more concerning than others, but that the NHS has allowed sensitive internal documents discussing its development to get leaked.
The leaked document, dated March 25th, discussed the collection of users’ precise GPS location data, something the NHS had previously claimed they would not do.
An absolute shit-show all around, but it gets worse.
The NHS published a privacy notice on May 29 which mentions, among other things, that it reserves the right to retain personal data for up to 20 years.
Initially, the link was not accessible from outside the UK, but it seems to have been opened sometime today.
The notice states that the personally-identifying information of anyone showing symptoms is kept by Public Health England for 20 years, regardless of whether they test positive.
Those without symptoms still get their personally identifying information retained for five years.
Further, the app will not comply with the GDPR which affords individuals “the right to be forgotten” and have their personal data erased upon request.
The notice specifically states: “You can ask for any information held about you to be deleted. This is not an absolute right and Public Health England may need to continue to use your information. We will tell you why if this is the case”.
Not only that, but in order to have your information deleted, you must submit identification to “provide proof of your identity”, thereby giving them even more data about you, similar to the Clearview AI scandal and the way they handled deletion of personally-identifying information.
Those who test positive for COVID-19 are asked for the following additional information:
- full name
- date of birth
- NHS Number
- home postcode and house number
- telephone number and email address
- COVID-19 symptoms, including when they started and their nature
Additionally, they are asked for the contact information of anyone they’ve been in close contact with. Those people are also asked for their full name, date of birth, and details of their symptoms.
As a result, the privacy advocate group Open Rights Group (ORG) are now preparing a legal challenge against the NHS.
“The government needs to better explain their reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control,” said Jim Killock, ORG’s executive director.
One concern being raised is whether this data will be shared with other government bodies like law enforcement or immigration.
Furthermore, the NHS has failed to undergo a legally-mandated data protection impact assessment, which is to be filed to the Information Commissioner’s Office prior to carrying out any potentially “high-risk” activity.
“These new powers require new protections,” wrote Harriet Harman in a letter, chair of the influential joint committee on human rights (JCHR). “It seems to us absolutely evident that the bill is needed. And instead of looking ahead to that fact, they’re going to wait until it’s urgent. Public opinion is very volatile about this sort of thing. One minute everyone can be seeing the absolute good sense, and the next they can have a lot of worries about it.”
Harman’s letter was addressed to health secretary Matt Hancock, who has previously argued that existing data protection law is sufficient, along with oral statements and promises.
In his letter, Harman details 10 areas wherein existing law does not match promises made by government regarding security and anonymization.
The JCHR, which includes members from both houses of parliament, took it upon itself to draft a bill requiring the deletion of gathered information after the end of the outbreak.
Nikita Malik, the author of the Leaving Lockdown report, also shared concerns around a potential “surveillance creep”, where intrusive powers are expanded or data is used to prosecute for a range of crimes. “What’s needed now is greater transparency, oversight, and accountability.”
Of equal importance is for the government to safeguard the data from the very firms they’re working with, to ensure the data isn’t being shared or sold that way.