ICO Gives Cautious Thumbs-Up to #COVID19 Contact Tracing Apps

Written by

The UK’s privacy regulator has given a cautious green light to a contact tracing project Google and Apple are working on to enable governments to end current COVID-19 lockdowns.

A new opinion issued by the information commissioner, Elizabeth Denham, stated that the proposed Contact Tracing Framework (CTF) appears to be “aligned with the principles of data protection by design and by default.”

The CTF uses Bluetooth technology and exchange of frequently changing anonymous identifier beacons to track and trace infections and notify users if they have been in the vicinity of someone who subsequently tests positive for the virus.

However, whilst giving the scheme a tentative thumbs-up, Denham argued that developers building apps on top of the CTF may collect other data and use different techniques than those envisaged by the tech giants.

In fact, reports emerged last month that the UK’s NHS was considering capabilities in its own app built on CTF that would allow ministers to deanonymize data in order to identify individuals if necessary.

Aaron Moss, barrister at 5 Essex Court, said that it would only be possible to check such allegations once the source code was made public.

“If the central database contains an individual’s location data, including a unique identifier for their device, people will understandably worry that the data could be used for surveillance which they would not consent to. This is what the information commissioner calls ‘function creep’,” he told Infosecurity.

“The bottom line is that individuals cannot be certain how public authorities will use their data in the future. Once public authorities hold data, they may well lawfully use it for other purposes, unknown to the data subject. The key in this case is that the app should be designed in such a way that it doesn’t collect identifying data in the first place, or minimizes this data to what is really required to fulfill its function.”

The European data protection supervisor earlier this month called for an EU-wide contact tracing app to be developed in line with GDPR principles.

What’s hot on Infosecurity Magazine?