Protect Scotland App launches

Note: 25 September – this blog, originally published on 10 September 2020 has been updated with links to Protect Scotland’s transparency section. Documents accessible here.

With the launch of the Protect Scotland App, Scotland has developed a proximity tracing app that follows the privacy-preserving de-centralised model and specifically focused on proximity tracing to the exclusion of other functions. We have to acknowledge that this app for better and worse is still firmly in the ecosystem of big tech firms and so Scotland is unable to control aspects of this development and the App’s functions. While certain factors are out of the control of the Scottish Government, what they can do, they have done well, but they must ensure to give clarity going forward and give all the transparency they can through supporting documents and clear communications to everyone in Scotland.

While other parts of the Union flailed around with a centralised “one stop shop symptom tracking, book your test, proximity tracing” behemoth of an application, Scotland held back launching any distinct app development, instead focus on scaling up NHS Scotland’s contact tracing capacity, which ORG scrutinised closely. It was only at the very end of July that Scotland announced that an App was in development.

That is a quick development time, and much of the time was seemingly saved by working with developers that had established both the Republic of Ireland and Northern Ireland’s proximity tracing application and underpinned by Google and Apple’s Exposure Notification API system.

The App works on the premise that no personal data is shared centrally, with random IDs generated and shared via Bluetooth with devices also running the App. These are held on the individual’s device. When a person tests positive for coronavirus they are provided with a code which they can decide to input and if they do, the log of random IDs are uploaded to a server that all of the Apps are checking their log of random IDs against. Your device will alert you if your store of ID corresponds with a log on the positive diagnosis list.

While other proximity tracing Apps seek additional personal information such as post code or request geolocation to be switched on the Protect Scotland App requests no personal data from an individual.

We have to remember that with this App we are living in the world created by Google and Apple, for better and worse. For better, because the de-centralised operation of the App is a core condition of the operation of the Exposure Notification – which England learned the hard way. And for worse because system design from these providers have been found to continue to run geolocation services for those devices running Android 10 or earlier operating systems.

It is Google and Apple’s world, Protect Scotland is just operating in it as best as it can.

Because of this it is vitally important that Scotland does what it can to produce clear transparent information to maintain public trust. That means documentation such as the source code, the Data Protection Impact Assessment, Equality and Human Rights Impact Assessments and clear communication of the principles behind this application should be seen as a priority. Open Rights Group understands that these documents are imminent for publication and the reason for their failure to appear at launch is the App was released onto App Stores ahead of expected following a speedy approval from Apple and Google.

The European Data Protection Board, an independent body whose purpose is to ensure consistent application of the General Data Protection Regulation, has a set of recommendations on clarity in the adoption of proximity tracing apps that the Scottish Government would do well to follow. These include recommendations that States adopting proximity tracing applications should adopt meaningful safeguards including a reference to the voluntary nature of the application, explicit limitations and on the further use of personal data and clear identification of the data controller. Much of that has been done with the privacy notice and will be clearer still with the DPIA publication. Finally, the EDPB recommends including, as soon as practicable, the criteria to determine when the application shall be dismantled and who will be responsible and accountable for making that determination. Something which ORG wholly endorses.

The app is a voluntary undertaking for the population, as it should be. That means relying on the trust of the Scottish public in the standards, governance of the application. Ultimately we need to see that the App is here not as a permanent fixture in our lives, but as a temporary tool in fighting the spread of coronavirus and like the virus something that will eventually, be shut down and rid from our lives.