NHS Covid-19 Test and Trace App: What happens to our personal data?

Authored by DAS

Since its launch on the 24th September 2020, over 14m people in England and Wales have downloaded the NHS Covid-19 contact tracing application.

However, the system, designed to help keep people safe, has been subject to heavy criticism with reports of various glitches and false alarms, not to mention concerns over the management of sensitive private data.

Given the problems, how much do we know about how the app works, what happens to the personal information we share, and how are our details being captured, stored and used?

Chloe Williams, Legal Adviser, DAS Law, tells you what you need to know…

How does the NHS Track and Trace app work? Am I legally obliged to download and use it?

The NHS Covid app is completely voluntary. You do not have to download it however it is highly recommended. The app can be downloaded, uninstalled and deleted at any point. The app has many features which include the following;

Trace: Find out when you’ve been near other app users who have tested positive for coronavirus.

Alert: Lets you know the level of coronavirus risk in your postcode district.

Check-in: Get alerted if you’ve visited a venue where you may have come into contact with coronavirus, using a simple QR code scanner; which means no form filling.

Symptoms: Check if you have coronavirus symptoms and see if you need to test.

Test: The app helps you order a test if you need to.

Isolate: Keep track of your self-isolation countdown and access relevant advice.

What are the key elements of the NHS Test and Trace service?

The NHS Test and Trace service has been put in place to ensure that anyone who develops symptoms of coronavirus can be tested quickly to establish if they have the virus. It also helps trace close/recent contacts of anyone who tests positive for coronavirus and, if necessary, notifies them that they must self-isolate in order to try and control the virus and stop it from spreading.

It has been introduced with the aim to help return life to normal, in a safe way which protects the NHS and Social Care sector. The service allows the government to trace the spread of the virus and isolate any new infections. This will play a vital role in ensuring there is plenty of warning if infection rates are increasing, locally or nationally.

Is it legal for businesses (restaurant, pubs, cinemas, or museums) to request my personal information? Does this contravene the data privacy laws?

Government guidance suggests that it is critical for organisations to take a range of measures to ensure that everyone is kept safe. It also states that organisations must ask for relevant information, keep those records for at least 21 days and provide any data to NHS Test and Trace if requested. It is acceptable for companies to ask this information from individuals however, they are still required to adhere to General Data Protection regulations (GDPR) and how they handle the data is important in order to comply with the laws. Failure to comply with any of the government’s requirements could result in fixed penalty fines.

Am I legally obliged to provide my information and can I refuse to provide my personal data?

Businesses can refuse entry to anyone that does not provide the required information in order to comply with Track and Trace. Therefore, if the information is not provided, then you may not be granted entry. Guidance states that those exempt from providing this information are:

Police officers or emergency responders on duty;

Anyone visiting the premises for delivery or collection by supplies or contractors (this includes food and physical goods) ;

Anyone under the age of 16. Anyone claiming to be under the age of 16 should not be challenged or requested to provide identification unless it is believed to be false;

Anyone who does not have the mental capacity to provide their contact details (Hospitality venues should not refuse entry where they are normally required to do so).

Businesses will not be in breach of requirements if they have reason to believe someone cannot provide these details for disability reasons and do not ask them as a result.

Are there any legal ramifications if I provide false information such as an incorrect telephone number, name or email?

It is against the law to provide false information to the Track and Trace service. The new Coronavirus Act punishes those who fail to comply with a £1000 fine for a first offence, which can rise to £10,000 for repeat offences.

Who is policing the collection and retention of personal data?

The Independent Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. All businesses are obliged to comply with data protection law. Under GDPR rules there are lawful basis that allow the government to collect, process and share personal information for NHS Track and Trace for legal obligations and if it is within the public interest.

If you have any concerns on how your information is being used/ stored you can question this with the business, potentially even submitting a Data Subject Access Request. If you still have further concerns following this, you can contact the ICO who may investigate further.

How long can businesses and/or organisations retain my personal information?

Government guidance under the new data protection laws states that it is a legal requirement for businesses to hold the required information for track and trace purposes for a minimum of 21 days. This could potentially be longer depending on the circumstances – e.g. if the police ask for information on day 20.

How are businesses using this data and how can I be sure they are not using it for other purposes such as marketing, advertising or selling the information to third parties?

GDPR rules require that any personal data collected must be processed fairly and transparently, as well as lawfully. If it has been collected for contact tracing purposes only it must be used only for those purposes and not for anything else. This means it should not be used for marketing, profiling, analysis or other purposes unrelated to Track and Trace. People sharing this data as part of Track and Trace should not be put at a detriment in anyway.

If I make a booking for a group of people in a pub/restaurant or other venue, am I legally responsible for collecting and providing the details of all the people in the group?

No. Government guidance under the new law states that at least one member of every party or group (up to six people) have to provide their details for the system. Therefore it may only be required that only your details