The UK’s coronavirus contact tracing app has been kicked into the lengthy grass, with the government now saying it is not a precedence and might not be prepared till winter. The app—which has to date price nearly £12 million – was presupposed to be a key a part of plans to establish and isolate anybody who had come into contact with somebody reporting COVID-19 signs.
If the app does lastly seem, it’s going to now be based mostly on a Google and Apple system, which implies it will not retailer info in a central database. This had been the plan for the unique government-developed system that had frightened privateness researchers, together with myself. However even when the app by no means will get off the bottom, that should not distract us from in search of extra perception into what the federal government and some corporations with sturdy political connections are nonetheless doing with our health data.
I used to be one in all almost 200 UK info safety and privateness lecturers who revealed a joint letter in April asking the federal government’s digital well being company, NHSX, key questions on its plans for the app. On the time there was no information safety impression evaluation (DPIA) – even the info privateness watchdog the Data Commissioner’s Workplace (ICO) hadn’t seen one.
There was no publicly out there info on how the app would work or maintain the info safe, and it was not clear that it might work in any respect. There was additionally no justification for the selection of a centralised information matching mannequin that was intrinsically riskier to privateness.
We acquired solutions to a few of these quickly after: an unsatisfactory DPIA, code for the app however not for the server, and a security analysis that included some justifications for centralised processing.
One of many functions for the app was centralised planning for the COVID-19 response. In parallel, NHSX has been growing a “information dashboard” to handle all the info it’s gathering for this function. The NHS web site lists 59 sources of such information, a number of of which embody information about particular person sufferers, such because the Emergency Care Data Set.
Initially, Matthew Gould of NHSX claimed “all the data in the data store is anonymous”. However that unlikely declare was corrected later with an acknowledgement that some information can be pseudonymous, that means that combining it with different information may enable sufferers to be recognized.
Extra worrying was the selection of companions by NHSX for this mission. The info was to be saved on a platform developed by US firm Palantir, which was initially funded by the CIA and counts quite a few US authorities companies as its clients. These embody the FBI and the Nationwide Safety Company liable for the key authorities web surveillance programme revealed by Edward Snowden.
Palantir’s preliminary contract with the NHS, which reportedly did not go to competitive tender according to protocols launched for the pandemic, charged a symbolic £1 for 45 engineers over three months. However it wasn’t made clear how else the corporate would profit. Palantir’s UK operation is led by Louis Mosley, reportedly a former Tory activist.
The other contracted company, School, has even stronger hyperlinks to the federal government through Boris Johnson’s chief adviser, Dominic Cummings, who gave it a key position in the Vote Leave campaign (below the agency’s outdated title of AIS). The agency’s director Marc Warner has additionally attended the federal government science advisory committee SAGE.
The inhabitants of the web cobbled all this collectively into a pleasant conspiracy idea, which is likely to be summarised as “the app is giving all our information to Dom’s mates”. This may be seen throughout social media, for instance within the responses to a popular tweet about our letter.
However whereas it seems the app is off the desk—or not less than that England and Wales will get a extra privateness respectful one run by web giants—there’s nonetheless motive to be involved about NHSX’s use of affected person information and the way it’s being shared with personal companies. Palantir’s authentic contract was published under legal pressure however its renewed contract has not. Specifically, we have no idea whether or not NHSX is paying Palantir correctly this time.
We additionally know extra clearly that there is a lot that we’re not being informed, as the federal government has solely revealed a DPIA for information being mixed and saved however not for the way it’s then getting used for planning, together with probably by means of AI. The DPIA solely assesses Palantir’s position for information storage, and but the agency’s original contract additionally mentions “information analytics”, “help monitoring, surveillance, and reporting”, and none of that’s coated within the doc. It additionally does not point out School, which says it’s engaged on information dashboards and modelling as a part of its contract with NHSX.
Session with stakeholders and exterior specialists is really useful for DPIAs, however none was achieved right here. Even branches of the NHS answerable for well being information dealing with, resembling NHS Digital, don’t seem to have been consulted.
A DPIA ought to study how the rights and freedoms of the individuals whose information is collected is likely to be affected and ask: “What may probably go flawed?” Whenever you assemble a big database together with particular person medical information, there are a lot of prospects for it for use past its authentic perform and for abuse, bias and surprising dangerous side-effects. Sadly, this DPIA solely recognises low-level dangers with their technical and organisational mitigations.
Total, that leaves us able the place we have no idea what Palantir, School and others are doing with NHS medical information. We have no idea whether or not the dangers of abuse of the info have been correctly recognised and mitigated. However we do know that this sort of database is just not protected towards entry by intelligence providers.
A full DPIA for the NHSX’s COVID-19 information operation may assist. A extra complete answer would come with a regulation to guard the pandemic-specific information programmes. However the proposal by the Joint Human Rights Committee has been rejected by the government. So for now, there’s a lot nonetheless to fret about.
Why we have to know extra in regards to the UK authorities’s COVID-19 information mission – and the businesses engaged on it (2020, June 24)
retrieved 24 June 2020
This doc is topic to copyright. Aside from any truthful dealing for the aim of personal examine or analysis, no
half could also be reproduced with out the written permission. The content material is offered for info functions solely.
In case you have any issues or complaints relating to this text, please tell us and the article can be eliminated quickly.