May 05, 2020

NHS app lacks privacy “due diligence”

Open Rights Group's lawyers, AWO, have written to Matt Hancock and NHSX to demand immediate confirmation that they will conduct a full and adequate Data Protection Impact Assessment, consult with the ICO and publish the results.


It was confirmed to Parliament on Monday that this risk assessment had not yet been completed, nor had the ICO had sight of it. [1]

NHSX is deploying its App in public this week, effectively without completing their data protection privacy obligations. The public and NHSX are therefore unable to judge if it is safe to use, what risks are involved or what has been done to mitigate those risks. We have asked NHSX to clarify those points.

Jim Killock, Executive Director of the Open Rights Group said:

“The NHSX has not done its homework. We are worried that NHSX will not have fully addressed the many privacy risks that come with building a massive database of personal contact events.

“The NHS have chosen to use a very intrusive solution to ‘contact tracing‘ so must be especially careful about the risk management. They have failed to consult with the ICO on those risks, and have not published information about them, in advance of public trials.

"We have made this formal legal demand to ascertain what the risks and mitigations are, before the App is rolled out to the entire British public.

“If we find that sufficient mitigations are not place, we will consider further legal action.”

ORG wrote to Matthew Gould, Chief Executive of NHSX on Friday 1 May about these matters, to which NHSX did not reply, and has followed up with a formal legal request for the documents today.

A formal legal opinion published on Monday shows that it will be hard for the NHSX to meet basic requirements of lawfulness due to the highly intrusive method of contact tracing they have chosen. [5]

Donations to the legal work can be made here.

ENDS

Contact

Jim Killock 07894498127 / press@openrightsgroup.org

Notes

1 Elizabeth Denham on Monday 4 May confirmed to Parliament at the Join Committee on Human Rights that she had not received the Data Protection Impact Assessment, and that she consdired it a legal duty that she be consulted. This would be necessary where mitigations to 'high risks' could not be fully delivered. https://committees.parliament.uk/event/906/formal-meeting-oral-evidence-session/

2 Contact tracing apps create risks of many kinds, many of which cannot be fully mitigated.

3 The Government has committed to publishing the Data Protection Impact Assessment but has given no timescale, and has made no comment on consultation with the ICO.

4 Open Rights Group’s successful legal record includes interventions in the Watson case on the Data Retention Directive, taking the government to the ECHR over the use of bulk communications data for espionage and challenging the 'immigration exemption' in data protection. We are also challenging data sharing in UK Adtech, which is subject of an ongoing investigation at the ICO.

5 COVID-19 & Tech responses: Legal opinion Matthew Ryder QC, Edward Craven, Gayatri Sarathy & Ravi Naik https://www.awo.agency/covid-19-legal-opinion.pdf