Analysis of the NHSX Contact Tracing App ‘Isle of Wight’ Data Protection Impact Assessment
This note examines the published data protection impact assessment (DPIA) released by NHSX in relation to their contact tracing/proximity tracing app. It highlights a range of significant issues which leave the app falling short of data protection legislation. It does this in order so that these issues can be remedied before the next DPIA is published. The main issues this note focuses on are the following:Personal data- The DPIA must not claim this data is anonymous, or that the app preserves anonymity, as under UK law, it does not.- The document (and associated public messaging) must be changed throughout to reflect the fact that it is not the case that personal data about a user is only uploaded with a user’s permission, as other people upload data revealing a user's social interactions.User rights- The lawful basis for a blanket refusal of the right to erasure is unspecified by NHSX in this DPIA.- The NHSX App unlawfully designs out the right to access when there is a legal obligation to design it in.- If the controller plans to, as with the right to erasure and the right to access, refuse all attempts at the right to object, this needs a justification in the DPIA.Monitoring and automated decision making- The DPIA must acknowledge the NHSX App systematically monitors publicly accessible spaces.- The DPIA does not set out a valid lawful basis for the solely automated, significant decision-making it correctly identifies as occurring.- The information contained in the document embedded in the DPIA describing the logic of automated decisions must be provided under GDPR, article 13.Prior consultation and e-Privacy- The Information Commissioner must be consulted prior to processing within the meaning of GDPR, art 36, not just briefed.- The DPIA should explain how the The Privacy and Electronic Communications Regulations are complied with, both in relation to Bluetooth usage and in relation to embedded trackers.The note does not consider alternative architectures or less intrusive means to achieve the purposes of the NHSX app, although these are critical issues that this DPIA could be argued as failing to assess. This note is unable to assess the risks of the app as provided by the DPIA as all the risks have been redacted.