‘The Worst Possible Outcome’ – Tech Privacy Experts on the Problem with NHS Test and Trace

NHS Test and Trace, the government service intended to track the spread of coronavirus, has changed the way we socialise. The “new normal” of eating out or visiting a pub during the pandemic goes something like this: you take a seat at a socially distanced (but not always) table, and a member of staff (wearing PPE, but not always) asks you to scan your phone over a QR code. In little more than the time it takes to apply a dose of hand sanitiser, you have provided your personal details to the contact-tracing system.

Along with face masks and Zoom calls, NHS Test and Trace system is just one of the many new facets of life during the coronavirus pandemic. But chaos, confusion and a lack of transparency have led many to criticise the largely privatised system, and ask what happens to our personal data once we hand it over.

Launched at the end of May, NHS Test and Trace works by tracking down the recent contacts of individuals who have contracted coronavirus. According to government guidelines, if you test positive for COVID-19, as well as self-isolating, you must share this information with NHS Test and Trace. The service then asks for the details of everyone with whom you have had close, recent contact, along with the places you have visited – such as pubs and restaurants. The NHS Test and Trace team sends alerts to these people, letting them know that they need to self-isolate.

Epidemiologists agree that a well-run contact-tracing system is essential in the fight against a pandemic. So, what’s the issue with NHS Test and Trace?

Dr. Gus Hosein, executive director of Privacy International and an expert in technology privacy, argues that the system is anything but well-run. “This is the worst possible outcome,” he says. “The government are MIA, so each pub has a different regime for our data, with different standards of care.”

Back in May, Boris Johnson promised that Britain’s contact-tracing system would be “world-beating”, supported by an app that could send automated alerts to anyone who had been in contact with an infected person. But, three months later, the app is still nowhere to be seen.

Instead, we have NHS Test and Trace, a less advanced system run by private companies including Serco and Sitel. Government advice states that pubs and restaurants must collect the name, phone number and date of visit of each group of customers in order “to support NHS Test and Trace”. This allows call handlers to contact an establishment and track down its customers, should one of them test positive for COVID-19. After 21 days – the coronavirus incubation period – if a customer has not tested positive, the establishment must destroy their data. (Customers can choose to opt out of sharing their personal details).

But with a little guidance on how to safely collect and store customer data, hospitality establishments have been left to improvise with these guidelines. Women have already faced harassment from pub staff who had abused the Test and Trace system to take their contact details.

“The government only published their guidance for pubs to collect contact details two days before pubs were due to open, so it’s up to the pubs how they want to do it,” says Madeleine Stone of privacy activism group Big Brother Watch. “Pubs want to be on the safe side but overcompensate, and end up buying really invasive surveillance tools.”

There is already a growing market for apps that offer to sort hospitality establishments’ data collection, including worrying products such as VenueTrace, which uses customer check-in data to grow mailing lists. “There are companies out there that are desperate for our data,” says Stone.

But privacy doesn’t seem to be a concern for the government. As WIRED UK reports, privacy organisation Open Rights Group (ORG) has filed legal action against the Department of Health for failing to complete a Data Protection Impact Assessment (DPIA) for the Test and Trace system. A DPIA – a risk assessment aimed at protecting data and human rights – could have put steps in place to prevent inadequately trained staff from sharing the details of COVID-19 patients on WhatsApp, or Serco’s multiple data breaches.

Of course, any company must comply with the recent GDPR guidelines established to protect our data. But these standards are put in place by a government that Hosein describes as “institutionally incompetent”.

He adds: “It fails even to do their homework and actually follow the laws that they have established for themselves.”

If we can’t trust the government to protect our data, Dr. Bharat Pankhania, an expert in disease control and management from the University of Exeter, says that we should expect “independent and continuous monitoring to show us that the data is safe”. This becomes even more important when you consider that Serco will keep NHS Test and Trace data for eight years – down from 20 – for unspecified research purposes.

“We don't know what the research is,” Stone says. “ORG have managed to bring that down by asking why, but even eight years is very excessive.”

The tricky thing is, we do need personal data to help fight this pandemic, and ones to come. A recent report published in The Lancet found that to prevent a second wave of coronavirus in the UK, a widespread system of testing, tracing and isolation was crucial. As well as stemming the spread of infection, it would help answer key questions about how factors such as age and gender impact coronavirus transmission.

“It’s very important to collect the data,” says Pankhania. “It not only gives us a lot of information about the number and trend of cases, but it also gives us a degree of knowledge as to who exactly is getting ill and which groups are more specifically being affected.”

The problem is that we are being forced to choose between digital privacy and the pressing need to stop coronavirus. “I am terrified that the government is going to try to create a narrative of privacy on one hand versus a pandemic on the other,” Hosein says. “It’s just a distraction to mask over incompetency.”

Just because contact tracing is essential that we shouldn’t settle for an inadequate and unsafe system. We need the data just as much as we need privacy and safeguarding, and it’s up to the government to provide us with both.

@ououmuouo