As Scotland experiences an increase in positive cases of COVID-19, and increased local restrictions, it was timely of the Scottish Government to launch the Protect Scotland or ‘Protect Scot’ contact tracing app. The app is available to download to smartphones from the Apple or Google Play stores for living in or visiting Scotland. Once downloaded, the app uses Bluetooth to track the proximity and duration of contact between individuals to bolster existing manual Track and Trace initiatives and help slow the spread of Coronavirus.
How does the app work?
After downloading the app and switching the Bluetooth setting on, individuals can go about their daily business while their phone exchanges random IDs with other app users when they come into ‘close proximity’. Close proximity is defined as 2 metres and individuals must be within this range for at least 15 minutes for the app to record this. The random IDs are stored locally on the users respective smartphones and if someone is diagnosed with Coronavirus they will be texted an authorisation code, which they can enter into the app. This triggers the app to send the random IDs, known as ‘diagnosis keys’ to the app server which sends ‘exposure notifications’ to the individuals they have been in contact with advising them to self-isolate.
What about privacy?
Compared to the UK’s Governments failed ‘Test and Protect’ app, Protect Scot has attracted less commentary in relation to privacy. The app is modelled on a more privacy-centric decentralised design under which anonymised data is processed and stored locally on individuals’ smartphones until diagnosis, making it very difficult to hack or trace a diagnosis back to an individual.
The Scottish Government has gone to lengths to provide the public with confidence that privacy has been embedded into the design of Protect Scot. During the download process the user is presented with reassuring privacy related statements including “This app will never reveal your identity or location” and “This app will never track your identity or location”. There is also a lengthy (and perhaps overly complicated) privacy notice available which sets out the terms of processing and the lawful bases under which the Data Controllers (Scottish Government, NHS Scotland and Public Health Scotland) process the data to perform a task in public interest to protect public health, for reasons of substantial public interest in public health and for research and statistical purposes.
In terms of the types of personal data used, it seems that attention has been paid to the data minimisation principle of GDPR as the personal data collected and processed within the app is limited. Personal data includes mobile numbers, IP addresses and confirmation of app use, as well as estimated dates of infection and records of notifications made via the app including ‘Authorisation Codes’ (to allow those diagnosed to report this via the app), ‘Diagnosis Keys’ (the random IDs stored locally on devices) and ‘Exposure Notifications’ (to let individuals know they are at risk).
The personal data is stored on the app for a limited period of time from a few hours up to 14 days which is disclosed as the maximum storage period. The app also processes metric data which is not personal data, to capture numbers of users, authorisations codes, exposure notifications for statistical and research purposes, which is retained indefinitely.
The app doesn’t collect additional personal data from users such as name, age, address or use GPS or Google location services. In its current form it can’t be used to monitor self-isolation or be used to access contact information held within a phone.
Can individuals exercise their data protection rights?
It is possible and individuals are invited to make requests, however, due to the short term retention of personal data within the application, in the majority of circumstances, it would not be possible to action data subject requests.
Limitations of the app
The are some recognised drawbacks with the app. Firstly it’s only compatible with devices that are Android (6.0 and later) and iOS (13.5 or later). Based on the assumption that some of the more vulnerable within the population may operate older mobile phones models, many will be excluded from using the app. Secondly, the application is also only available to download if you’re over the age of 16 due to privacy constraints around obtaining parental consent for the processing of children’s data. This means that older children, who may be at risk of exposure can’t access the app. Lastly, there is still scope for false positives to occur if the app records contact through walls in flatted accommodation or between carriages on public transport.
Is it safe to download?
The decision to use the app ultimately rests with the individual. None of the information presented about the app suggests that the nature of processing is excessive or particularly intrusive from a privacy perspective and given that c360,000 people in Scotland downloaded the app within the first 24-hours of the launch it appears the Scottish public are relatively comfortable with it.
There is no perfect solution to managing a global pandemic but perhaps data can help us navigate the long road to the other side of this public health crisis.
Morgan O'Neill is Director of Data Protection Services at Thorntons. If you have any questions about the data protection implications of contact tracing for your business or require advice on processing of staff, customer and employee health data during the COVID-19 pandemic, contact Morgan at email@example.com