Health secretary Matt Hancock announced an official NHS app to help trace anyone who has contacted COVID-19 in April, however the initiative has immediately raised privacy concerns.
The app, developed by the NHS’s innovation wing NHSX, will focus on tracing symptoms rather than diagnosis. It is understood that data will be stored in a central database and will require Bluetooth features to be switched on constantly to be effective – putting unique device IDs at risk. Soon after the announcement, The Guardian reported on a classified draft government memo that would give ministers the power to ‘de-anonymise’ users.
Doubts were also raised about the efficacy of the app in general, because for it to be effective, 60 percent of people in Britain will have to voluntarily download it. And even if they do, due to the imprecise nature of Bluetooth technology, it could return false positives.
“Senior sources” told The Times that NHSX was also working with Google and Apple – owners of the two major mobile operating systems in Android and iOS, respectively – on the application, but did not say to what degree.
Other governments including those of Singapore and China have used mobile geolocation data, with the stated purpose of tracking or slowing the spread of novel coronavirus, although these also raised questions about the safeguarding of personal data.
A similar COVID Symptom Tracker mobile app has been developed by King’s College London, Guys & St Thomas’ hospitals along with private nutrition data company Zoe Global, which attracted nearly a million downloads in its first week, after quickly circulating on social messaging applications like WhatsApp.
The app, which was developed in three days by the researchers, is simple enough: users fill in a profile about themselves and mark the symptoms they have or haven’t had.
Professor Tim Spector is a genetic epidemiologist at KCL, who has specialised in the genetics and histories of twins. At first, says the BBC, the app was aimed at twins taking part in Spector’s studies, but was revised to apply to the general public.
The idea is that data from the app could ultimately help shape a map of where outbreaks have occurred, as well as to assist in determining why COVID-19 affects some people worse than others. It is available on iOS and Google Play, but not accessible through search results on the latter – only by the direct link. Initially it was only available in the UK, but is now open to USA signups too.
Spector serves as director for Zoe Global, which describes itself as a nutritional science company, and he has written extensively about nutrition, including the book The Diet Myth.
Neither Zoe Global or KCL responded to requests for comment on clarifications about privacy and ethical concerns surrounding the app. A spokesperson from Guy’s and St Thomas’s NHS Trust would not comment, and suggested we speak with KCL.
Privacy concerns
There is, of course, a race to limit the damage caused by the pandemic, as well as glean as much data as possible to be made available for researchers. Privacy specialists such as Pat Walshe, who tweets @ PrivacyMatters, have urged caution about racing to install apps that are not totally transparent on their use of data.
Walshe told the BBC he was “concerned by the rash of websites and apps intended to allow people to report of their COVID-19 symptoms”.
He added: “I’ve found it difficult or impossible to determine who is behind a number of them. They do not adopt appropriate standards of compliance with data protection law and I see dubious ethics.
“Could an app help? Yes, possibly. But I think we need the NHS to coordinate it in order to provide confidence, trust and protection.”
On the FAQ page of COVID Symptom Tracker’s website, the researchers state that the data is protected under GDPR and thus can “only be used for the purpose that you consent to” – which means it can “only be used for medical science and to help the NHS”. It adds that it minimises personally identifiable information, and that any submitted data will not be used for commercial purposes.
However, in its privacy notice, the researchers add that when data is shared with researchers in the USA, data may not be protected “in the same way, or as well as, under GDPR”. It also lists the institutions it shares data with as: KCL, Guys & St Thomas’ Hospitals, the NHS, Harvard University, Stanford, Massachusetts General Hospital, Tufts, Berkeley, Nottingham, University of Trento, and Lundt University.
Ethical questions
Additionally, organisations conducting research on human beings led from England are required to seek Health Research Authority (HRA) Approval, reviewed by a Research Ethics Committee. The separate COVID-19 Social Study, for example, has received approval from the UCL Research Ethics Committee. We’ve asked for clarifications on these matters and are awaiting a response.
“People are losing their heads and ignoring the fact that doing medical studies is not just a matter of data protection,” Phil Booth, of health data privacy group MedConfidential, tells Techworld.
“For example, the World Medical Association’s Declaration of Helsinki states: Every research study involving human subjects must be registered in a publicly accessible database before recruitment of the first subject. One presumes that legitimate researchers and medics in UK universities and hospitals do not wish to deviate from such fundamental, internationally agreed principles.”
Other efforts have taken an open source approach to tackling the pandemic, including the Open COVID-19 Data Working Group, which has created an open access database that forms the data for a COVID-19 HealthMap.
The World Health Organization is also working on an open source application that will be available on Android, iOS, and online, to curtail coronavirus, and has called for contributions.