Skip to main content

No trace of the UK’s Track and Trace App

Data Protection and Contact Tracing

Back in May, it was all hands to the wheel to roll out the UK Government’s ‘Track and Trace’ contact tracing phone app to support existing contact tracing methods in operation. However today, it’s still unclear if and when the app will be available. With other countries across the world having delivered contact tracing apps to mitigate the risk of the spread of COVID-19 in their country, many wonder why the UK is still lagging behind.

How do contact tracing apps work?  

For contact tracing apps to be successful, individuals must voluntarily download the app to their smartphone and complete registration. As people go about their daily business, their phone submits randomised signals or ‘digital handshakes’ to nearby smartphones using Bluetooth and this contact is tracked. If someone is diagnosed with Coronavirus they can report this via the app and this will trigger alerts to those they have been in contact with. Those contacts will receive a notification on their phone to let them know they are at risk and should self-isolate. All information shared is anonymised to protect the identity of the diagnosed person.

Unsurprisingly, contact tracing technology has attracted a lot of attention from the public, media, security experts and regulators due to the potential impact on the privacy rights of individuals. There are concerns around accidental or malicious disclosure of medical information, the possibility that personal data could be repurposed without the public’s knowledge and the risk of mission creep, for example, that apps could be developed to capture additional information, such as physical location, reducing privacy and anonymity.

The UK Information Commissioner and the European Data Protection Board both issued statements that are supportive of the use of contact tracing apps as a method of containing the difficulties imposed by the COVID-19 pandemic but stress the importance of a data protection by design and default approach to the development and use of these apps to ensure the privacy rights of individuals are protected. This means that those developing contract tracing apps must be transparent about the purpose and nature of processing and ensure that the principles of the GDPR are embedded into the design process.

Centralised vs Decentralised

There are two models of contact tracing application; centralised and decentralised. In April 2020, Apple and Google announced that they collaborated to develop a decentralised contact tracing framework under which anonymised data is processed and stored on individuals’ smartphones, making it very difficult to hack or trace a diagnosis back to an individual. Using a centralised model, contact tracing data is processed and stored a remote server (rather than on phones).

The UK Government initially considered the decentralised framework designed by the tech giants, but instead opted to develop a centralised model in partnership with NHSX and the University of Oxford, the system also adopted by France and Japan. This decision attracted attention from security experts who advised that a centralised approach creates a greater risk of hacking and compromise of the data and, without detailed technical analysis and comment from cryptography experts, it would be hard to a determine if the centralised model is sufficiently secure to protect users privacy. Practical questions were also raised about interoperability between centralised and decentralised applications, as travel restrictions begin to ease and we see close-by countries such as Ireland adopting decentralised models. Without interoperability, the apps would be ineffectual in tracking cross-border virus spread.

Nevertheless, the NHSX moved forward with the design of the application and it reached the testing stage in the Isle of White in May. After a period of unsuccessful testing, the UK Government announced on June 18th that due to technical flaws, it would pause the release of the app. Further, in an unexpected twist, the Government has decided to turn its back on the centralised model and work with Apple and Google to deliver a decentralised contact tracing app.

What happens next?

The Government has yet to confirm the timescale for its release but in the meantime, lockdown restriction are easing and retail and leisure facilities are reopening. As we wait for an update on the technical solution, some businesses including pubs and restaurants are being instructed to implement their own methods of contact tracing based on Government guidelines.

The decision has been taken on the basis that activities such as dining, whether in indoor and outdoor areas, create a higher risk of the spread of COVID-19. In the event that a customer or visitor becomes infected, the contact information collected allows the tracing of other individuals via the Test and Trace Scheme in England or Test and Protect Scheme in Scotland, who were also present and may be at risk. The disclosure of personal data is voluntary, which raises the question of how effective this will really be and of course, there is the chance that fake contact details may be shared by some who are unhappy to share their information but want to get over the threshold. Nevertheless, it’s a lot of responsibility for a business to take on and it can’t be taken lightly.

For some establishments, this activity might be viewed as no different to recording customer reservations. However, it is different. The risk of these large datasets being accessed, lost or misused is greater than before as businesses implement new and immature processes for the collection of contact tracing data in haste. We saw a recent example in a New Zealand sandwich shop, where a customer’s data collected via a contact tracing list was misused by an employee to contact the customer after she visited the business. The customer complained that her privacy had been violated by the unauthorised use of her data. Businesses must take precautions to demonstrate that the information is being processed in accordance with data protection law or they may face a data protection breach.

The ICO has provided comment on the data protection considerations that organisations must take when processing contact data during this time. If your business collects personal data for contact tracing, the key points to note are:

  • Think about how you will communicate the message to customers and visitors i.e. over the phone, by email or using signs or leaflets;
  • Businesses must tell their visitors/customers why and how their data will be used;
  • Check the processing is lawful. Consult the government guidance and identify the lawful basis for processing personal data. For private businesses legitimate interest is likely to be applicable and for the private sector, public task but consent may be required in some circumstances;
  • Advise people that data may be shared as part of a contact tracing scheme, if required;
  • Only collect the information that is necessary;
  • Make sure the data is collected accurately. Disclosure is voluntary and it’s not necessary to verify and individuals identity but you should endeavour to collect complete and accurate;
  • Secure the information whether digital or physical records, to prevent loss or accidental disclosure or destruction;
  • Make sure your employees understand their responsibility to use records in a GDPR complaint manner;
  • Only keep the data for as long as is necessary (in England the guidance is 21-days), then securely dispose of the information i.e. shred.


It’s clear there is a long road to travel before we reach the other side of this health pandemic. For individuals, there is an expectation that we will be willing to be more free and easy about the information we share about ourselves and our health to help facilitate the ease of lockdown restrictions. There is also an expectation that the businesses we share our data with don’t lose sight of their data protection responsibilities and an assumption that data protection is the default position. Whether we share our information via a contact tracing app to get access to the local beer garden, we need to be willing to put a lot of trust in others. Judging by large numbers flocking to beer gardens over the last couple of weeks, trading our privacy for a pint is a risk a lot of us are seemingly willing to take.

Insight from Morgan O'Neill, Director of Data Protection Services at Thorntons. If you have any questions about the data protection implications of contact tracing for your business or if you require advice on processing staff, customer and employee data during the COVID-19 pandemic, please contact Morgan on 0131 225 8705 or email moneill@thorntons-law.co.uk 

About the author

Morgan O'Neill
Morgan O'Neill

Morgan O'Neill

Director, Data Protection Services

Data Protection & GDPR

For more information, contact Morgan O'Neill or any member of the Data Protection & GDPR team on +44 131 624 6854.