UK privacy watchdog confirms probe into NHS England COVID-19 app after complaints of spammy emails, texts • The Register

Exclusive Britain’s Information Commissioner’s Office (ICO) has confirmed it is investigating grumbles about heavy-handed marketing emails and texts promoting the NHS COVID-19 contact-tracing app in England.

Between 26 and 27 September, NHS Test and Trace messaged anyone resident in the country who was over the age of 16 and had previously provided their contact details to a GP. Those contacted had not specifically opted in to receive marketing communications regarding the NHS COVID-19 app.

In its FAQ, the NHS justified the mass email-and-text blast by underlining the urgency of the current situation. “It was determined a matter of public health importance to encourage people to download the app as a critical part of NHS Test and Trace,” it wrote.

“England is experiencing a second peak of coronavirus transmission, resulting in a number of local restrictions and tightening of national restrictions. Encouraging people to download the NHS COVID-19 app is considered by the Department of Health and Social Care (DHSC) to be a highly important tool for managing and monitoring the outbreak, and a matter of public interest.”

This didn’t go down well with everyone who received the message, including Reg readers. “The UK government is spamming people in an attempt to get them to install the test and trace app – what all good app developers do, right?” one reader told us.

“I have not opted in to receive [these] emails. I’ve expressly opted out of all data sharing via my GP, anonymous or otherwise. Even worse there is no unsubscribe link in this email. It seems like the only way to opt out of these messages is to tell my GP to remove my email address and phone number from their system – and I’ll do that now.”

Contact tracing

NHS COVID-19 app’s first weekend: With fundamental testing flaw ironed out, bugs remaining are relatively trivial

READ MORE

In a statement sent to The Register, the ICO confirmed it had started investigating people’s gripes though it did not disclose to us how many it had received. “We have received complaints in relation to text and email messages being sent about the NHS COVID-19 app and we are making enquiries,” said an ICO spokesperson.

NHS COVID-19 launched on 24 September for England and Wales – Scotland and Northern Ireland already had their own COVID-19 awareness apps by this point.

The software arrived at an acutely challenging moment for the UK’s fight against the pandemic. Infection rates have skyrocketed, prompting local lockdowns across large parts of Wales and northern England. Given these circumstances, cybersecurity expert Professor Alan Woodward, of the University of Surrey, understood why the NHS opted for the path it took – although he noted the data should be used with the strictest safeguards.

“I suppose I can see why they did it,” he said. “What I was unaware of, and so I suspect are others, is that GPs share our phone numbers with other parts of the NHS. It would be nice to know how it is protected and specifically how NHS digital are ensuring it doesn’t become a victim of hackers.

“Much, I suspect, may depend on how it is stored. If it’s stored and associated with other personal data, it represents an incredible target. It would effectively be the phone number of everyone over 16 who has a mobile phone (assuming they registered the mobile with their GP which most do ask for as they now send texts from the local surgeries with things such as appointment reminders).”

Woodward added that there should be no need to associate the phone number with other biographical or medical information due to the generic nature of the message. “It goes back to basic GDPR principle of collecting the least amount of data to achieve the objective,” he said.

While some may fault the methods of the NHS Test and Trace team, you can’t really argue with the results. By the end of the weekend, nearly 12.4 million people in England and Wales had downloaded the app.

Given the spike in infections – rising to a UK record of 7,143 yesterday – it’s a good job the software is finally here. It was once billed as a central component in the fight against coronavirus until development failed and it was relegated to being described as the “cherry on the cake” by Baroness Dido Harding, who leads the test-and-trace programme in England.

The Register has asked the UK government’s Department for Health and Social Care and NHS Digital to comment. We will update this story should we hear back. ®

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: