Many countries around the world are being forced to watch as the only tool they have to suppress COVID-19 — social distancing — causes unprecedented damage to their economies. Because suppression measures may be required until a vaccine is available (possibly 12-18 months from now), the UK and other countries are developing less economically damaging techniques, chiefly systems of testing and contact tracing, similar to those deployed in South Korea, Singapore and China. In this article, we discuss this technology and consider the data protection and cybersecurity concerns it may raise.
How It Would Work
Whilst countries ask individuals to stay home as part of their lockdowns, essential workers continue commuting to their workplaces. For these essential workers, some employers have implemented contact tracing methods in accordance with applicable domestic employment and data protection laws (see Skadden’s client alert “COVID-19, Contact Tracing and Data Protection in the Workplace” in the March 2020 edition of our Privacy & Cybersecurity Update). Countries such as the UK are planning gradual lockdown exit strategies by developing public health care mobile applications that will assist in both the testing and tracing of individuals to enable their return to the workplace but only after certain checks have been cleared. In practice, the government would request that individuals download onto their mobile phone a public health care application and use it to identify themselves and provide certain health-related information, including whether they have been experiencing COVID-19 symptoms and/or share their temperature reading.
The application would use the information to build health profiles of its users to assess whether or not they need COVID-19 testing. If an individual tests positive, the application would notify both that person and also the individuals with whom the infected person may have come into recent contact based on location information stored by the application and suggest necessary quarantine measures while maintaining the infected person’s anonymity. The application would request those notified to undergo testing themselves, repeating the process for any subsequent positive results.
This application could potentially be further developed to request that an individual have their temperature taken (potentially through the application itself) prior to entering a building, such as their workplace. In the case of a high temperature reading, their entry would be blocked and they would be requested to work remotely. Alternatively, for a normal temperature reading, the application would generate a code (e.g., a color code where green is all clear) enabling the individual to access the building.
Temperature readings could be supplemented by other self-testing tools that scientists are currently developing, such as tests that use swabs to look for the virus or antibody tests that look for evidence that the individual has had the virus and recovered.
Public Health England is looking to roll out 15-minute home-testing kits that would operate similarly to home pregnancy tests, making use of blood, saliva or urine to provide results. Such tests, reliant on antibody testing, would determine whether COVID-19 antibodies are present in the sample, indicating that the individual has recovered from the virus and gained some degree of immunity to it. Such tests are currently undergoing trials in the UK to determine their accuracy. The home-testing kits have so far not been made publicly available as they have not yet passed evaluations. Professor John Newton, appointed to supervise the testing process by UK Health Secretary Matt Hancock, has stated that the 3.5 million home-testing kits the UK ordered from China are not yet suitable for public use and not good enough to be rolled out on a large scale.
In contrast, the U.S. government’s approach to developing alternate suppression measures has so far involved fast-tracking COVID-19 testing, including immunity tests. Accordingly, the U.S. Food and Drug Administration (FDA) has significantly relaxed the approval process for COVID-19 tests. In official guidance released on March 16, 2020, and updated on March 30, 2020, the FDA authorized serology immunity tests (tests based on blood serum) to be carried out even before obtaining an expedited FDA emergency use authorization, as long as: (i) the tests are first validated through bridging studies (studies conducted in the U.S. to confirm validation data collected outside the U.S.); (ii) the manufacturer or distributor has notified the FDA; and (iii) certain information is included in the test reports. The FDA cited the decreased complexity of the serology tests as a reason they can be fast-tracked for use and approval, stating, “Considering that serology tests are less complex than molecular tests and are solely used to identify antibodies to the virus, [we do] not intend to object to the development and distribution by commercial manufacturers or development and use by laboratories of serology tests to identify antibodies to SARS-CoV-2.”
UK Suppression Methods and the NHSX Application
The National Health Service (NHS), the UK’s public health care service, is looking at developing an application to help the NHS track and monitor the spread of COVID-19 (the COVID-19 Application) as part of the UK’s strategy for managing the pandemic. Leading these efforts is the innovation arm of the NHS, the NHSX, which sets national policy for the NHS in the field of digital and data technology (including data sharing).
The COVID-19 Application is meant to help the UK government and the country’s health care leaders understand how the disease is spreading and proactively combat infections by diverting patients to the facilities best able to care for them based on demand, resources and staffing capacity. The success of the COVID-19 Application will depend largely on whether a sufficient proportion of the UK population signs up and uses it in a disciplined manner to enable a safe post-lockdown era in the context of this pandemic.
The NHSX is working with developers to make the COVID-19 Application Bluetooth-based. This is an attractive alternative to using the global positioning system (GPS) for tracking purposes, a proposal which has led to growing concerns that governments may use public health emergencies as a justification to heighten surveillance capabilities. Privacy advocates argue that a Bluetooth-based application is the least intrusive form of mobile tracking and provides the most reliable output to identify the other people that a given individual would have been in contact with recently. Bluetooth tracking is based on proximity and operates by measuring the “received signal strength indicator” of a connection to estimate distance (i.e., the stronger the signal the closer the devices). This technology is being considered by several EU countries for contact-tracing applications they are currently developing, and was seen successfully deployed by Singapore in its TraceTogether application. Alternatively, GPS tracking, as used in China’s COVID-19-related health care application, is more intrusive, as it operates by using satellites to actively locate individuals through pinpointing their locations based on proximity to a given area. In addition to privacy concerns, questions have been raised regarding the accuracy of GPS location tracking.
If it is to maintain public trust and transparency, the NHSX will need to consider operational strategies regarding the information gathered by the COVID-19 Application in addition to technological aspects of the initiative. The NHSX will need to develop a clear “exit strategy” which will allow it to inform users of the envisaged periods that the gathered data will be retained, aligning with the requirements of the General Data Protection Regulation (GDPR), and set these data retention periods out in a simple and easily digestible manner. The NHSX needs to consider rules and guidelines for how the data processed in relation to the COVID-19 Application will be erased following the pandemic and not kept longer than necessary for any purpose other than those disclosed at the outset. Implementing effective safeguards is likely to be an important factor in fostering trust amongst the UK population and making the rollout of the COVID-19 Application a success. The NHSX has already confirmed that the information would “largely” be drawn from existing data sources and has emphasized that the data would be anonymized, by removing names, addresses and other personal identifiers and replacing them with pseudonyms, so that no individual patient can be identified.
GDPR Feasibility and Cybersecurity Considerations
Because of the volume and sensitive nature of the data likely to be collected by the COVID-19 Application, data protection and cybersecurity concerns should be of paramount concern to the UK government when contemplating its implementation. The processing of personal data through the COVID-19 Application will need to comply with the core data protection principles set out in Article 5 of the GDPR. The European Commission has advised public health authorities to abide by EU legal principles (especially the principle of data minimization) when processing personal data for COVID-19-related purposes, calling for a harmonized approach when employing mobile applications to combat the pandemic to ensure that technological tools can interoperate across the EU. The European Data Protection Board has announced that its “technology expert subgroup” is heading subgroups to produce guidance on key aspects of data processing (including for geolocation and tracing tools) as countries use data processing to fight against COVID-19.
The processing of personal data gathered by the COVID-19 Application (and more generally any COVID-19-related applications) must be grounded in a legal basis provided for in Article 6 of the GDPR and, where the processing of special categories of data is involved, also with one of the conditions under Article 9 of the GDPR. Special categories of data are sensitive data that are subject to further processing requirements under the GDPR and include genetic data, biometric data and health-related data. This two-step analysis must be carried out at the outset of a project and prior to the processing of any personal data. The legal grounds under Articles 6 and 9 of the GDPR may be supplemented by specific pieces of legislation at a national and/or EU level to justify conducting the processing for the purpose of monitoring the spread and minimizing the impact of COVID-19.
The NHSX, as a public body, will most likely rely on Article 6.1(e) of the GDPR, which requires that the processing of personal data be necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Section 8 of the UK Data Protection Act 2018 (DPA 2018) clarifies that “in the exercise of official authority” includes, amongst other things, the exercise of a function conferred on a person by an enactment or rule of law. Public authorities may also seek to rely on Article 6.1(d) of the GDPR, which requires that the processing of personal data be to protect the vital interest of individuals. The NHSX should avoid relying on consent as the lawful basis for processing, as both the GDPR and the DPA 2018 make clear that consent is likely to not be given freely where the controller is a public body.
The relevant Article 9 GDPR conditions that would be available to the NHSX would most likely be (i) Article 9.2(i), which requires that the processing of special categories of data be necessary for reasons of public interest in the area of public health; or (ii) Article 9.2(g), which requires that the special data be processed for reasons of substantial public interest. Both conditions must be based on EU or member state law proportionate to the aim pursued and provide for suitable and specific measures to safeguard fundamental rights and the interest of the data subject (here, being a person who has downloaded the COVID-19 Application). So far, the UK has executive orders in place, but no specific domestic legislation has been enacted. Moreover, parliamentary sessions have been temporarily suspended until April 21, 2020, (which may be extended), potentially delaying the passage of such laws. This is also relevant to the processing of geolocation data, which under the ePrivacy Directive requires anonymization or prior written consent but may be able to be processed on alternate grounds that are set out in emergency legislative measures pursuing public security (in the context of the pandemic, this would be the safeguarding of public health). Such national legislation would need (i) to constitute a necessary, appropriate and proportionate measure within a democratic society and (ii) to be implemented with adequate safeguards in place to protect individuals' rights. It remains to be seen whether, under these exceptional circumstances, UK executive decisions can be temporarily treated as equivalent to member state law for the purposes of Article 9 of the GDPR before they are formalized.
As the NHSX works with third-party vendors to develop and further implement the COVID-19 Application, it should ensure that it implements appropriate data processing agreements that satisfy the requirements set out in Article 28 of the GDPR applicable to controller-to-processor relationships.
Core GDPR Requirements
When considering the implementation of the COVID-19 Application, the NHSX should contemplate the following core GDPR requirements that would apply to the processing of data:
Risk analysis: Although certain exceptions may apply to the NHSX as a public body for carrying out data protection impact assessment pursuant to Article 35 of the GDPR, it is advisable and best practice to keep a written record of the risk-based decision-making process associated with the development and implementation of the COVID-19 Application.
Transparency: The NHSX will need to provide an external privacy notice made available to the general public upon accessing the COVID-19 Application. This notice will include the prior information required under the GDPR and identify, for instance, which types of personal data will be processed, the categories of data recipients and the purpose(s) sought for such processing.
Security safeguards: The NHSX should apply strict measures to protect the security and confidentiality of such personal data, which can be done by implementing encryption (in transit and at rest), and wherever possible, at the least anonymize data or aggregate and anonymize the data processed.
Accountability: The NHSX should keep clear and up-to-date records of actions taken in relation to processing.
To the extent that any data processed by the COVID-19 Application would leave the UK and be transferred to third countries located outside the European Economic Area, such transfer would most likely be inconsistent with the GDPR unless one of the derogations under Article 49 of the GDPR applies. Though the threshold to meet these derogations is high, given the nature of the pandemic the NHSX may be able to rely on the fact that the transfer is necessary (i) for important reasons of public interest (Article 49.1(d) of the GDPR) or (ii) in order to protect the vital interests of the data subject or of other persons (Article 49.1(f) of the GDPR). In any event and for security purposes, international transfers made to combat the pandemic in a collaborative global fashion should be undertaken in an aggregated and anonymized manner to the extent possible.
The development of the COVID-19 Application presents an opportunity for cyber criminals to exploit the current crisis. Adopting appropriate safeguards — such as (i) encryption (in transit and at rest), (ii) aggregation and anonymization of the data, (iii) frequent monitoring of systems and (iv) regular updates against known bugs and vulnerabilities — will be paramount in combating cybersecurity threats and ensuring that sensitive data does not fall prey to criminals. Additionally, the NHS has developed a cybersecurity model (CSSM) providing for a set of security requirements for NHS organizations to comply with, in line with best practice, which would equally apply to NHSX in relation to the COVID-19 Application.
The development of COVID-19 related applications has formed part of the exit strategy of several countries seeking to maintain suppression of COVID-19 following the ending, or easing, of lockdowns (or to supplement lockdowns) and appears to be an emerging trend. Such applications aim to test and trace users, based on health information provided, to confirm whether individuals have tested positive for COVID-19, and if so, notify other users deemed to have been in close proximity with the infected individuals. Depending on how the applications are developed, they can potentially operate by utilizing temperature readings to determine if users may or may not enter buildings based on codes generated by the applications determined by the results of those temperature readings.
Successful deployment of health monitoring applications on mobile phones as a suppression method has the clear potential to mitigate damage to the economy caused by the pandemic. A key challenge facing the developers of such mobile applications will be garnering high enough levels of adoption, with Oxford researchers postulating that at least 60% of the target population will need to opt-in to using these applications for them to be effective. At the heart of such mobile applications and the COVID-19 Application lies data protection and cybersecurity concerns. Even during a pandemic, data protection laws continue to apply and should be followed when processing personal data in the context of COVID-19-related applications; this should help maintain public trust, which in turn will support the success of these suppression techniques by promoting high levels of user adoption. The UK will need to carry out a balancing exercise, as although positive domestic laws could allow personal data necessary to contain the virus to be processed for the purpose of monitoring the spread and minimizing the impact of COVID-19, this must be done in a manner that ensures there are safeguards in place to protect the individuals whose data is being processed and their civil liberties.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.