UK Parliament's human rights committee pushes for better protections of coronavirus contact-tracing data in law
Decentralised app rolling out soon, but manual process remains problematic
In the absence of a working contact tracing app, the UK government has been forced to rely on manual data collection and human-powered tracing to identify potential cases of exposure to the Covid-19 virus. But, as Parliament’s cross-party Joint Committee on Human Rights claims in a new report, this is just as problematic as the original centralized app, particularly when it comes to user privacy
The report acknowledged that human-powered contact tracing has many of the flaws that dogged the original application with respect to the deanonymised identification of individuals. "There has been little public debate of the privacy implications of manual contact tracing, but in some ways, the information gathered is more personal," the Committee said.
"Information gathered by a human contact tracer could feasibly be names of the people who were in contact, how long the contact was for and where they met," the report added, pointing out that a decentralised app would merely correlate two phones that have been within close proximity for more than 15 minutes.
Furthermore, as this information is recorded and stored digitally, any concerns regarding an app-based approach to contact tracing also apply to manual contact tracing.
The report raised eyebrows at the government's strategy of outsourcing contact tracing to third parties, like pubs and restaurants. One of the conditions that allowed the lifting of lockdown restrictions on the hospitality sector was that establishments would be forced to record the contact details of patrons. However, there have been instances where this track-and-trace information has been misused.
"There have been reports of customers being harassed after people obtained their numbers from sign-in books left on display in pubs and restaurants," the Joint Committee noted.
Irrespective of the ongoing national emergency, any organisation that collects data from the public is obligated to adhere to the existing data protection legislation, like GDPR and the UK's Data Protection Act. While the government has issued guidance to businesses, the Joint Committee questioned whether this information is being properly managed.
The report comes as the UK government is mere days away from launching its contact-tracing app in England and Wales. This follows the Northern Ireland Executive, which launched its own effort, StopCOVID NI, in July. This uses the purpose-made Bluetooth API interfaces created by Apple and Google in response to the pandemic, and is interoperable with the contact-tracing app used in the Republic of Ireland.
Similarly, the Scottish government has its own app, called Protect Scotland. Like StopCOVID NI, this also uses Apple and Google's tech, and has already received more than one million downloads.
The launch of the UK government's second contact-tracing app is already embroiled in confusion after a Downing Street spokesperson incorrectly told reporters yesterday that it wouldn't log interactions between users – which is a fundamental component of app-based contact tracing.
The government "clarified" later in the day that Thursday's app would include the feature.
Users will also be able to "check-in" to venues by scanning QR codes, allowing them to avoid providing their details directly to the establishment. A handwritten register will remain available for those without a smartphone. In addition, the app will support booking tests, checking symptoms, and display the ongoing risk level for a particular area.
The Joint Committee on Human Rights echoed previous calls for the government to protect contact-tracing data privacy with a bespoke law. Harriet Harman, who heads the committee, has previously described existing legislation as inadequate for the task and scope of any app designed to register the movements of the general population.
"To build trust with users, which has been shaken by high-profile missteps, the Government should introduce legislation which defines what data will be collected, how long it can be held, when it will be deleted," the report argued. "Such legislation should include a ban on contact tracing data being shared for any purpose other than combating the spread of Coronavirus."
As the experience of any country using app-based contact tracing shows, there will always be a need for human-powered processes. Not everyone owns a smartphone, and the apps themselves are voluntary. The report therefore suggested that any legislation should also extend to manual contact tracing.
"Manual contact tracing is the main component of the UK's test, track and trace system. This still involves data being collected; indeed, that data is arguably more sensitive than that collected by the app," it said.
"Whether that data is gathered digitally or manually, the legislation should limit how long manually gathered data can be held, define what type of information can be gathered, confirm when it will be deleted, and restrict it from being shared for any purpose other than combating the spread of Coronavirus." ®