[Withdrawn] NHS COVID-19 app: privacy notice (early adopter trial, August 2020)
Published 13 August 2020
This document supports the early adopter trial only and will be subject to review and revision in light of insight from the trial.
Introduction
This privacy notice relates to the early adopter trial phase of a mobile application (App) the government has developed to contribute towards the response to the coronavirus outbreak. The App is part of NHS Test and Trace and overseen by the Department of Health and Social Care (DHSC).
The App, as part of the NHS Test and Trace Programme, aims to help people manage their risk of exposure to COVID-19 and identify and inform those who have been at risk. The App tracks the virus, but does not track people.
How the App protects your privacy is set out in this document. You may wish to read this privacy notice with other privacy notices relating to the wider Test and Trace Programme – you can find out how to access these documents at the end of this document.
How the App will help you
The App is designed make fast, accurate digital contact tracing possible while protecting your privacy and identity. It uses the minimum amount possible of your personal data.
Contact tracing depends on being able to determine who a person who has tested positive for COVID-19 could have infected. Manual contact tracing involves asking an infected person who they have been in contact with; the person can only identify the people they know, and it is impossible to do this without using people’s names and identities. The App has been designed to make contact tracing possible without needing to know names and identities. The App will alert you if you’ve been near another App user who tests positive for coronavirus. Similarly, if you test positive, the App will ask you to allow those you’ve been in contact with to be alerted. It uses technology developed by Apple and Google called ‘exposure notification’ and ‘exposure logging’ to do this.
The App also allows you to:
- check whether the symptoms you have could be COVID-19
- order a test, via a link to the NHS Test and Trace website
- alert other App users who have been in contact with you if you test positive
- count down how long you have left if you need to self-isolate
The App will tell you the risk level in your local area (your postcode district), and will allow you to check in to venues, such as restaurants or leisure facilities. If a venue is identified as high risk, your App will alert you, and if you test positive, you will be able to use your check-in log to remind yourself where you have been when talking to a contact tracer.
The App will not be available to everyone at first; we will test it with groups of users before rolling it out nationally. The groups of initial users will receive a link inviting them to download the App. The App will only be available to the people who have been invited to download it and who have been given an access code, during the testing phase.
At present, the App is for people aged 18 or over.
It is intended that a future version of the App will also have a feature that will enable you to keep track of how much risk you personally are encountering as you live your day-to-day life.
What data the App uses
The App has been designed to use as little personal data and information as possible. All the data that could directly identify you is held on your phone and not shared anywhere else. When you first install the App from your App store there will be instructions for you about how to allow the App to function. This includes turning on your Bluetooth settings (if not already on) and entering the first part of your postcode (up to the space), which is also called the ‘postcode district’. Bluetooth is needed because the App uses the strength of the Bluetooth signal, the Low Energy Bluetooth function, to work out how near App users are to each other.
Digital contact tracing
When you download the App to your phone, the App will start to generate a code that identifies the App’s existence on your device. This code changes every day so that it cannot be associated with you or your phone. From this code the App produces another randomly generated code every 15 minutes. This code is collected by the App installed on other users’ phones when you come into close contact with them and kept on the other user’s App for 14 days. There is no way for another user to tell that a code collected from your phone relates to you or your phone.
If you report a positive test for coronavirus, the App will ask for your permission to share your daily codes with other App users. If you agree, your daily codes will be uploaded to the central system (the DHSC secure computing infrastructure, hosted on Microsoft Azure Cloud Services (UK)). The central system will then send your codes to every App user’s phone and each user’s App will check for any matches. Where there are matches, the user will get an alert that they may have been in contact with someone who tested positive. The central system does not know who you have been in contact with and it doesn’t record any matches.
While it is unlikely ever to happen, you should be aware that there are some unusual circumstances in which another person might be able to identify that you were the person who had tested positive when they receive an alert. If an App user had only been in contact with you and no one else, they would be able to infer who the infected person was when they received an alert. This could also happen with manual contact tracing.
The App uses automated processing to advise users who have been in close proximity to those who tested positive to self-isolate. This means that the App will automatically send a notification to self-isolate: no one will know that you have been advised to self-isolate unless you choose to tell them yourself. The App will remind users that they can phone NHS 111 if they would like to discuss the advice to self-isolate.
The App will count down how long you need to self-isolate and will provide information and support when self-isolating.
Your symptoms and ordering a test
If you choose to check your symptoms using the App, the symptom information that you enter will be processed by the App but the App will not tell anyone else your symptoms.
If the App advises you to take a COVID-19 test, you will be directed to the NHS Test and Trace website to book a test. The NHS Test and Trace website will open in a new window. This website will collect your contact details (in order to be able to provide the test) but this information will not be shared with the App.
Booking a test via the App will generate a test code that will allow you to link your test result to the App automatically. If you test positive the App will ask you to share your anonymous contact tracing codes with other App users. The test codes that link your test result to your App are only held in the DHSC secure computing infrastructure for long enough to send your App your test result. The test codes are deleted within 24 to 48 hours.
Venue check-in
When you set up the App, it will ask you for permission to use the camera on your device in order to check in to venues using QR codes. If you check in to a venue, the information will be stored on your phone for 21 days. It will not be shared with anyone else. The choice of 21 days takes into account the 14-day incubation period, and 7-day infectious period of the virus.
You will be able to see the list of venues where you have checked in on your phone. You can delete the whole list at any time. In future versions of the App you will be able to choose to delete single items from the list. No one else will know where you have checked in unless you choose to tell them, and the data will not be shared by the App.
Your personal data
‘Personal Data’ is a term defined in law.
The following 4 types of data are considered ‘personal data’ when they are on your phone, because they are being stored on a phone that is registered to you personally:
- the postcode district you provide when you install the App
- the symptom information you enter onto the App
- the QR codes of the venues that you scan into the App
- the 2 types of code that are described above that are generated every day and every 15 minutes respectively for contact tracing purposes
Once the data moves out of your phone and, for example, is fed into the DHSC secure computing infrastructure (see below) there is no way of telling that it came from your phone or that it relates to you. The 4 types of data may be made available to DHSC at different times when you use different functions of the App, but this will only be in a form which cannot identify you.
The test code and test result will be personal data both when they are on your phone and when they are held on the central system. When they are held on the DHSC secure computing infrastructure, they are governed by strict controls of security, access and systems. These are designed to monitor and restrict who can have access and stop anyone from being able to identify you.
Please note: The App uses the make and model of your phone to support functionality.
What we ask of you
Everyone, whether an App user or not, is required to self-isolate if they test positive for COVID-19.
The behaviour sought by your use of the App is:
- download the App and use it daily
- keep the App ‘on’ and carry your phone at all times when you are able to
- follow instructions issued by the App
- ‘pause’ the App when appropriate
- enter symptoms and take a test quickly when advised to
The App will ask you to do these things, but it will not compel you in any way and no one will know anything about your personal use of the App. It does not record or track where you or other App users are (for example, at home or in a public space). The App does not identify you or your location to other App users. You can delete the App at any time.
Our responsibilities
We will adhere to our legal responsibilities. The legal basis for processing your personal data under the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018 law is:
- GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
- GDPR Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system
- GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health
- DPA 2018 – Schedule 1, Part 1, Section 2(2)(f) – the management of health care systems or services
- DPA 2018 – Schedule 1, Part 1, Section 3 – public health purposes
We will continue to develop the App following the Information Commissioner’s (ICO) Contact Tracing Principles.
Any data you share is used to help us:
- provide advice to App users based on the latest information
- provide advice to the public based on the latest information
- learn more about coronavirus to support health services, such as your local hospital – for example, this could be giving them up-to-date information about coronavirus in the area
- improve and monitor the effectiveness of the App
If you choose to delete the App, you will not receive any notifications (alerts) from the App about coronavirus (COVID-19) and the data stored by the App on your phone will be deleted. If you decide to install the App again, you will need to provide the requested information again.
We will never share your data without your permission, and we will only process it as described in this privacy notice.
There is more information in the Data Protection Impact Assessment (DPIA) prepared for the App by DHSC and available on GOV.UK.
The DHSC secure computing infrastructure
The App is supported by a central DHSC secure computing infrastructure hosted on Microsoft Azure Cloud Services (UK) infrastructure. Data in this DHSC secure computing infrastructure will be made available only to individuals that have been formally authorised to access it. Information will only be able to be transferred from this DHSC secure computing infrastructure to another system if appropriate, and after an updated Data Protection Impact Assessment has been carried out.
The DHSC secure computing infrastructure only processes data that has been anonymised once it enters the infrastructure, with the exception of a test code and test results which are held briefly. The test codes that link your test result to your App are only held in the DHSC secure computing infrastructure for long enough to send your App your test result. The test codes are deleted within 24 to 48 hours.
Other than these test codes, the data held and used within the App’s central systems (the DHSC secure computing infrastructure and analysis area) cannot identify you. In particular it will not be possible for DHSC to link any data that it receives from the App and feeds into the Analytical infrastructure with other data available to it in a way that could identify any particular user
The App also uses data it receives from the App for wider planning and research into COVID-19. For example, the App will collect data about the number of cases of COVID-19 in each postcode district and about how often the App has been downloaded overall. This data is used to:
- enable local government and NHS organisations to plan and respond to localised outbreaks of COVID-19
- support the response to the COVID-19 public health emergency
- enable learning about COVID-19 and its impacts
- help us to examine why particular areas of the country see higher rates of infection than others
The data to support this will be uploaded daily by the App to a dedicated analytical area, provided and operated under contract to DHSC. Any information, once it has been received by the analytical area and when it is subsequently used for analytical purposes, will not identify an individual App user. As a result the data in this form will be classed as anonymous (does not identify a person directly or in combination with other information) or aggregated (aggregated data is information gathered and expressed in a summary for statistical purposes and does not allow an App user to be personally identified).
Any use of data and information generated or collected by the App will comply with Data Protection law and the Common Law Duty of Confidentiality (where applicable).
Retention of data
Data held in the DHSC secure computing infrastructure will not contain direct, indirect or consistent identifiers. This means that the retention of this data should not be considered within the legal context of GDPR/data protection. However, limits for the retention of data sets and records need to be set even where the data does not constituent personal data. This applies to the analytical data explained above.
Retention of records associated with the App is likely to fall into 2 categories. These categories are records which are used to:
- hold organisations to account are held for 8 years
- monitor communicable diseases, for example in the COVID-19 public health emergency, are retained for 5 years (if they contain personal data which is not the case in this instance) and 20 years for anonymous data, prior to any review
Retention of these records is governed by the relevant Section 46 Code of Practice, Public Records Act and statutory duties of the organisation accountable (DHSC).
Most data is retained only on the user’s phone. Daily codes (the ones used for contact tracing) are retained on the user’s phone for 14 days and are then deleted (14 days is the incubation period for the virus). Submitted daily codes are retained on the DHSC secure computing infrastructure for 14 days and then deleted. So, the maximum age of a daily code that has been distributed to the DHSC secure computing infrastructure is 28 days.
The test codes that link your test result to your App are deleted within 24 to 48 hours.
QR codes that are scanned by the user when visiting venues are automatically deleted after 21 days. The choice of 21 days takes into account the 14-day incubation period, and 7-day infectious period of the virus.
Please note: the retention settings will follow the latest government advice which may increase or decrease the amount across several days. For example, the self-isolation period recently increased from 7 to 10 days.
Your rights under the Data Protection Act 2018 and GDPR
By law, you have a number of individual rights, such as the right to know what personal data is held about you. You can ask an organisation for copies of your personal information verbally or in writing. This is called the right of access and is commonly known as making a Subject Access Request or ‘SAR’. However, these rights are mostly only available when the data controller (in this case DHSC) holds information that can identify you. The App is designed to prevent DHSC being able to identify you. Data controllers are not required to collect or hold personal information solely to respond to a rights request. This means that DHSC will not collect extra information solely in order to be able to identify you, in order to be able to respond to your request for the data held about you.
Concerning the personal data held on your phone, subject access requests are facilitated by a feature on the App that allows users to view the data held on the App. The right to object and be forgotten can be achieved by the user deleting the App. DHSC will not, however, be able positively to respond to most of the other rights because it will not have access to the personal data in question. Please see the DPIA for further information. Information about your rights and how to use them is available from the Information Commissioner’s Office.
With respect to the DHSC secure computing infrastructure, except for the test code and result, no personal data will be held about any App users. It will not be possible to inform App users about their test code and result because it would require DHSC to collect further information and personal data just in order to satisfy this right. It would also undermine the privacy protection afforded to this data for the limited time that it is stored in the cloud.
If you are unhappy or wish to complain about how your information is used as part of this App, you should first contact the DHSC Data Protection Officer (DPO) to resolve your issue (see DPO section). If you remain unhappy, you can complain to the ICO.
Further information
If you would like more detailed information about the App, you can find this in the Data Protection Impact Assessment created for the App.
For more general information about coronavirus, please go to GOV.UK/coronavirus.
Data Controller
A ‘Data Controller’ is the organisation that is legally responsible for deciding how and for what reason a user’s personal data is processed. For the NHS Test and Trace App, the Data Controller is the government Department for Health and Social Care (DHSC). Data Controllers have a ‘Data Protection Officer’ who acts as a contact point for questions about your data. Details of DHSC’s Data Protection Officer can be found at the end of this information.
The App is being overseen by NHS Test and Trace, which is part of DHSC. DHSC has contracts or agreements with some other organisations that provide services in developing or supporting the App. The ones that will be processing personal data are:
- Amazon Web Services which hosts the central system (cloud server) that supports the App, and
- The Health Informatics Service (THIS), which is hosted by the Calderdale and Huddersfield NHS Foundation Trust. THIS provides the ‘NPEx’ system which provides test results to the App (using the test code unique to the App)
These organisations can only work under instruction from DHSC and cannot use information they process for any other purposes.
These organisations’ details can be found in the DPIA.
Data Protection Officer (DPO)
The DHSC Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to data_protection@dhsc.gov.uk.
Security of your information
The system gives a high level of privacy protection, as the App does not collect or transfer any information that tells us who or where you are. This also means it cannot tell the NHS, people and organisations who have contributed to the development of the App, or any other App user who or where you are.
In addition to the protections already explained above, we have implemented and maintain the necessary technical and organisational security measures; and Policies and Procedures.
These are designed to reduce the risk of:
- the deliberate or accidental destruction of data
- the loss of data
- unauthorised access to or disclosure of the information collected by the App
This includes:
- limiting access to those who can support the management of the App
- using secure, privacy preserving methods when details are shared between App users see the point above about random user IDs)
Other privacy notices
Privacy notices relating to other parts of the NHS Test and Trace Programme: