To scan or not to scan… has GDPR been forgotten amidst the pandemic?

As it seems with all emergencies, the COVID pandemic has shown how quickly entire industries can evolve when the only other option is to shut up shop. In an effort to track the general public, monitor the spread of COVID-19 and report on positive cases, the NHS COVID-19 app was launched in September 2020 and obligations were placed on businesses to record who entered their premises and when – staff and customers alike.

In England, businesses are only required to take its patrons’ details if they have not “checked in” via the NHS app. Whether you prefer to check-in via the app, or provide your details to staff, data protection regulations govern how your personal data is processed, stored and later deleted.

Post first published on 16 October 2020

The app

You only confirm one piece of information when downloading the NHS app – the first part of your postcode. It does not ask for (nor need) your name, phone number, email address, GPS data or your specific address.

The app confirms the risk category for your area and assigns an “Installation ID” to your phone as a user of the app, running your Bluetooth (with your consent) in the background to scan your surroundings, looking for other NHS app Bluetooth signals. When your app picks up another nearby app user, this “interaction” is logged in the NHS tracking database – if you later test positive for Covid, a notification will be sent to all of those apps you “interacted” with, to tell them they may be at risk.

Due to the urgent demand for the creation and implementation of the NHS app, the project did not undergo a full Data Protection Impact Assessment (DPIA) before its public use, as is usually required under GDPR. The DPIA, however, has now been completed and reports that personal data is collected “anonymously” through the app to aid with the tracking of coronavirus cases.

However, the government has been heavily criticised for its use of the word “anonymous” throughout the DPIA, with some experts, such as Michael Veale of the University College London, stating that the information stored by the NHS database is pseudonymous instead (i.e. they use a different, not anonymous, way of identifying you). Although, on the database, an app user is only identified by their unique Installation ID, it is technically true that this reference number could be traced back to a particular phone, of which you will likely be the registered owner (either as the contract holder or the phone number holder).

Pseudonymous information is, by its very nature, always one step away from identifying an individual, but officials and supporters claim that one would need more information to identify an individual than just their Installation ID.

UPDATE – following news over the weekend (of 18 October 2020) that police may be given access to personal data collected via the Test and Trace scheme, NHS-Covid19 app developers have offered clarification on this topic and highlighted the distinction between the following:

1. Test and Trace scheme – the system through which you obtain a coronavirus test from the NHS and receive a text message confirming your result (and possibly your need to self-isolate); and
2. Track and Trace app – the app which you use to “check in” at various locations, check your area’s risk value and enter test results, if received.

The original claim stated that police would be able to apply, on a case-by-case basis, to access personal data held by the NHS testing system regarding those who had been told to self-isolate. With some incorrectly concluding that this related to the app, this led to a large number of threats to delete the app, due to fears that data may be accessed by police without an individual’s knowledge.

However, the app developers have clarified that the two systems operate independently of one another, with the Department for Health and Social Care confirming that neither police nor the government receives any personal data from the app.  In fact, the NHS released a statement on 18 October 2020 via Twitter, setting out the app’s limitations and confirming that “the app cannot be used to track your location, for law enforcement, or to monitor self-isolation and social distancing”.

The logic behind allowing police, in extreme circumstances, to access personal data collected by the testing system is that a request by the NHS that an individual self-isolates following a positive test result is legally enforceable, and something the police should, if the situation requires it, be able to impose. On the other hand, recommendations made by the app to self-isolate (for example, following possible contact with someone who later tests positive) are not legally enforceable.

The alternative

So, if one does not want to use the app, they are left with one option – manually checking in wherever they go. This usually requires some, if not all, of the following information:

1. Name
2. Address
3. Phone number
4. Email address
5. Number in your party.

None of the above information is required by the app.

And what happens with these details once you’ve provided them? Businesses are under an obligation to store personal data securely and for only as long as is necessary, after which time they must dispose of the information securely. This is of course easier to adhere to for businesses who use a digital capture system  (phone or tablet for example) but what about those who don’t have such systems in place?

Many businesses are resorting to pen and paper to collect these details – leaving a clipboard out for customers to complete. The table has several columns, asking for some or all of the details above, and countless rows where person after person provides their personal data. This personal data is then often left out on a counter for any passer-by to see, access and record, until the rows are full and a fresh piece of paper is required.

So, notwithstanding that your personal data may have already been leaked, businesses are required to store this information securely – that’ll be a password-protected file on a computer or USB, and a locked box for physical records. These details must be kept for 21 days (in case the establishment is linked to a positive Covid test and needs to notify anyone who has been in contact), before being securely destroyed – again, for digital files this will require permanent deletion and physical records will need to be shredded.

The question is – are businesses fulfilling these GDPR obligations? For many, since businesses require far more personal data than the NHS app does, it is imperative that they do.

So, which one?

The app is easy to download, set up and use, and requires only the first half of your postcode to get started. From there, you simply open the app and use your camera to scan the QR codes wherever you go, and that’s it. You’ll only then be notified if you have been put at risk.

With its use of pseudonymous information, the app is certainly looking to be the more GDPR-compliant contender – and with individuals becoming more aware of their personal data and how it can be used, it seems this would be the most sensible choice here. Digital privacy experts are concerned that Fake QR codes can easily be posted by scammers that can be designed to compromise user data in various ways.

Manually checking in seems to be more time-consuming (if done at all, which means you won’t know if you were at risk), more onerous with regards to the information required and appears to be riskier in terms of a personal data breach.

Whichever option you select as an individual, you need to be aware of the risk associated with it and neither option is without the risk of personal data breach.

If you are a business owner or manager and are unsure of your obligations with regards to GDPR and track and trace, please visit the Information Commissioner’s Office website for more information.

If you require any data protection advice, our specialist advisers would be happy to help. Contact the team at IBB on corporate@ibblaw.co.uk or 01895 207264.