Is your data safe with Test and Trace?

Contact tracing might help keep us safe in the Pandemic – but how does it safeguard your data?

Test and Trace is a public health scheme run to help identify who may have Covid-19, based on whether they have been in close contact with someone who has tested positive for the virus.

We know that large amounts of data are needed to run Test and Trace, but how is it collected, and how is it protected?

How does Test and Trace work?

In England, there are two different systems for Test and Trace – there is a manual system, and there is the NHS COVID-19 app. Both collect data on who you have been in close contact with, and alert you if you may have caught the virus.

If you test positive for Covid-19, you may then be contacted by Test and Trace or by someone who works for your local council. You will be asked to provide personal information including your name, date of birth, and postcode. You will also be asked for the names and contact details of any people you were in close contact with in the 48 hours before your symptoms began, and any places you’ve been such as your workplace, school, restaurants and pubs.

If you use the NHS COVID-19 app, you can choose to alert other app users who have spent time near you that they might have the virus and should self-isolate for 14 days. The app identifies people you have had close contact with by monitoring the strength of Bluetooth signals between your phone and another app user’s phone. Being in ‘close contact’ is generally being within 2 metres of someone for over 15 minutes.

Venues like pubs and restaurants are legally required to keep records of who has been on the premises and when. Customers can provide their contact details directly, or scan an NHS QR code with the app. You will then be alerted if other people at the same venue as you have tested positive for the virus.

So, is your data safe?

The two systems collect and store personal data very differently, and with varying risks. We've outlined them for you, and what's happened so far, below.

The manual system:

According to the NHS and Government website, and privacy notice, all information you provide to NHS Test and Trace is confidential and will be kept and used in line with the Data Protection Act 2018. No one who is contacted in connection with your case will be told your identity.

But there have been some concerning indications that data security isn’t being taken seriously.

The Department of Health did not complete a data protection impact assessment (DPIA) before launching the scheme, despite this being a GDPR requirement for any project that handles personal data. The Government has now said it is working with the Information Commissioner’s Office to ensure data is being handled in line with GDPR.

The DHSC is the official data controller for Test and Trace. They've published privacy guidance that we've read for you.

The personal information they can collect is extensive, including;

• first and last name
• date of birth
• gender
• ethnicity
• landline and mobile phone number
• email address
• home and delivery address, including postcode
• vehicle registration number
• National Insurance number
• NHS number
• details and date of onset of symptoms
• employer details

And Test and Trace can share this data quite widely. Your test result may be passed on automatically to your GP. Your address might be given to Amazon to deliver you a home test. Test and Trace can pass your information onto the local authority if they suspect you are not self-isolating, and this information can then be passed to the police. Contracted third party providers of Test and Trace can use your data in line with DHSC instructions, or otherwise with permission from the DHSC. Multiple private companies have been contracted, including Serco, Sitel and Amazon.

The Government initially stipulated that data obtained by NHS Test and Trace would be retained for 20 years. After pressure from campaigners for data privacy, this has been reduced to eight years, which is arguably still too long.

There have been data breaches, too. In May, it was reported by The Times that contact tracers had shared private patient information in WhatsApp and Facebook groups.

The Guardian reported 3 data breaches. Two including Serco, and one involving Ventrica, a private contractor, who did not properly redact an individual’s name and number in a contact tracing training video.

For Test and Trace, venues gather data from their customers and staff. They are required to store this information for 21 days. Though venues storing data for contact tracing are obliged to comply with GDPR, there have been reports of data being misused, specifically to harass women. The ICO advice states that businesses collecting your information for contact tracing should do so securely. For example, they shouldn’t use open log books or ask you to add your name to a list. If you don’t think that your personal data is secure, you can make a complaint.

The NHS COVID-19 app

The Government initially developed an app based on a centralised system – data was to be stored on a central server. This system was abandoned because of concerns about public trust and data security.

The new app, launched in September, uses Apple and Google’s decentralised system. It is considered much more secure. In this system, your data is stored on your phone, unless you choose to share it. You are not mandated to share your data, even if you test positive. You can also see what information the app has about you, you can check that it is right, and you can delete it.

The app is designed to keep your data anonymous. The app cannot access personal information on your phone, such as messages or contacts. It does not collect any directly identifiable information such as names, telephone numbers, NHS numbers or GPS location data.

The Bluetooth codes used to identify close contact are encrypted and stored on your phone for 14 days. Even if you choose to share them with Test and Trace, they cannot be used to identify who you are or who you’ve spent time with.

If the app recommends you get tested for Covid-19, you'll be allocated a unique token, which is passed to the test centre so that the results can be uploaded on the app. The token supplants the need for any personal information (like your name), and it is destroyed within 24 to 48 hours of test results being received.

For the app to tell you if your local area becomes high risk, you'll need to give the first few characters of your postcode. But this covers around 8,000 households on average, so you cannot specifically be identified.

Checking in to a venue with a QR code is also anonymous. The code will stay on your phone for 21 days.

The data it gathers cannot be used by the police to identify or track you. And, even though refusing to self-isolate when told to is now illegal in England, the new laws do not apply to being told to isolate by an alert on the NHS COVID-19 app.

If you'd like to know more, the National Cyber Security Centre are involved in monitoring and reviewing the app to ensure it is safe and secure to use. Apple and Google have also done a privacy review. You can read the Privacy Notice and DPIA for the app on the Government’s website.

Can You Trust It?

There are no glaring technical or legal reasons to distrust the app. Indeed, the app has data privacy built into much of its design.

The same cannot be said for the manual system, which is demonstrably more vulnerable to human error and mismanagement, as well as having a troublingly opaque approach to data protection.

But… Do You Trust It?

It doesn’t seem so. Public trust in the Government’s ability to manage the pandemic is very low. Lack of public trust must be contributing to the meagre number of downloads since the app was launched.

It is understandable to be sceptical of a system that requires so much personal data to function, particularly if it is being managed by a Government, and outsourced to private companies, that you may have other reservations about.

Final Thoughts

Though contact tracing is an important way of controlling infection rates, and the app will only be effective if many more of us download it, this is your decision to make. Using the app is voluntary. You can use parts of the app (such as the QR codes) but turn off the Bluetooth. You can choose not to share your app data with contact tracers.

The manual Test and Trace scheme is bound by data protection laws, to read more about your personal data rights, check out our blog on GDPR.

Still have questions, or ideas? Let us know @rightlydata