UK makes belated switch to decentralised contact tracing

The UK government has switched to the decentralised model for its contact-tracing app – months after disregarding the ICO’s recommendation that it do so. 

The UK Department of Health and Social Care announced yesterday that it is shifting its focus from the app it had developed and tested which used a centralised model, to the model based on Apple and Google technology.

The move makes the UK the latest of several European countries to switch from the centralised model – where a central server processes data collected by the app – to decentralised, where information remains on users’ devices. The latter is touted as being more privacy-friendly, while a centralised model allows for greater collection of data to be used for research.

Germany launched a decentralised contact-tracing app earlier this week after receiving the green light from the country’s data regulators. 

Michael Will, head of the Bavarian data protection authority, told GDR last week that although data processed by the app is not completely anonymised, the level of risk involved is very low, as information which could identify individual users will only be stored on personal devices rather than on a centralised database. 

And Marit Hansen, head of the data protection authority for the German state of Schleswig-Holstein, said the country’s app “is strongly following the path of data protection by design. It makes use of Apple's and Google's joint effort to a decentralised exposure notification ... the name of the persons you meet and the location of the meeting point won't be stored.” 

Germany’s health ministry yesterday said nearly 10 million people have downloaded the app, just days after its release. Observers have said that the apps become increasingly effective the more people use them, although data authorities have said governments must not make their use mandatory. 

Italy’s data protection authority has given the go-ahead to the country’s “Immuni” app, which is also based on the Apple and Google model. The watchdog said that on the basis of a data protection impact assessment produced by the health ministry, the data processing carried out by the app can be considered proportionate, as features have been put in place which will protect data rights.

The UK Information Commissioner’s Office appears to have had less influence over its government’s contact-tracing efforts than its European neighbours. It initially recommended the decentralised model, saying that “as a general rule, the decentralised approach allows most readily for best practice compliance with the data minimisation principle”.

But it later backtracked, with ICO chief Elizabeth Denham telling a parliamentary committee in early May that the use of a centralised database may be acceptable, despite the regulator’s original advice. Denham told legislators at the time that it “does not in any way mean that a centralised system cannot have the same kind of privacy and security protections”. 

An ICO spokesperson said: 

“We are in contact with those leading development of the test and trace system to find out more about their processing, how the switch to the decentralised approach will be developed further, and to understand the data protection implications of the test and trace programme and the overall ecosystem."

“We will continue to ensure that the requirements of the UK’s data protection legislation are considered and the privacy obligations of data controllers are met.”

Elsewhere in Europe, data regulators have played a large role in the operation of contact-tracing apps, with the Norwegian and Lithuanian authorities forcing their governments to suspend their efforts because of data protection concerns.

Unlock unlimited access to all Global Data Review content