We need to see proof of Scotland’s contact tracing privacy standards

As test and trace programmes are launched across the United Kingdom its time to revisit whether we have any further clarity on the privacy impact assessments of Scotland’s plans. The First Minister emphasised privacy standards underpining Scotland’s strategy this week. But others have not been forthcoming in explaining those safeguard. That needs to change, and fast.

On 4 May 2020 the Scottish Government set out their Test, Trace, Isolate, Support guidance. This included plans for Scotland’s own test and trace system, developed by the Digital Health and Care Institute. Scotland’s system was for a webtool to allow someone with a confirmed case of covid19 to input contact details of individuals they have been in direct contact with. These individuals would then be contacted by Scotland’s contact tracers and will be asked to self-isolate for 14 days, and book a test if they develop symptoms. If a contacted person does not have symptoms, other people in their household will not have to self-isolate.

The system was not a Bluetooth contact tracing app as proposed and developed by NHSX and trialled on the Isle of Wight, which has now been delayed. That being said, we are still talking about a lot of personal data on individuals being collected relating to potentially sensitive areas of our private lives. It may not be Bluetooth beacons but it still requires privacy due diligence to be carried out.

On 7 May 2020 Open Rights Group along with Dr Angela Daly of Strathclyde University and a host of other academics, policy experts in the field of privacy, and activists wrote to Scotland’s Health Secretary and the Digital Health and Care Institute to ask about the privacy and human rights risks identified in this system, and how they have been mitigated.

We are yet to hear from either of them.

The next week, on 17 May Health Boards in Fife, Lanarkshire and the Highlands all began trialling Scotland’s test and trace strategy. While a sensible move to ensure that any kinks in the system could be ironed out, there still was not any clear information about data protection impact assessments or human rights and equality impact assessments. On 20 May Open Rights Group wrote to each of the three health boards to ask them about these standards, and the information provided to individuals who participate in the trial.

We are yet to receive a response from them. The letters have mostly been acknowledged as freedom of information requests and thus subjected to the statutory timescales in place.

Finally, we turned to allies in the Scottish Parliament who had been in touch with Open Rights Group and others about the impact on fundamental rights the proposed strategy may take. Liam McArthur MSP, Liberal Democrat Member for Orkney Islands submitted questions to the Scottish Government echoing the questions raised to the Scottish Government, Digital Health and Care Institute, and the three health boards.

Liam’s questions are due a response by the 9 June.

From the announcement of the test and trace strategy, to the trials, to the eventual launch Open Rights Group have been keen to impress on the Government and the health providers involved that transparency is key and ensuring that risks to privacy and other rights generated by this approach are considered, documented, and mitigated.

On 25 May at the daily press briefing Scotland’s First Minister Nicola Sturgeon assured citizens of privacy standards:

“I want to take the opportunity now to assure you that your privacy will be respected at all times during this process.

The information you provide will be held securely within the NHS and used only for the purposes of tracing your contacts.

It will not be used by the Scottish Government – indeed, we won’t have access to it. All the work of identifying and tracing contacts will be done within Scotland’s NHS.”

This is encouraging.

Yet we still have not seen this formally acknowledged in law or in public assessments such as data protection impact assessments and equality and human rights impact assessments.

These documents are standard due diligence, we aren’t asking to stop the roll-out, or to re-design the system. We’re asking whether the Government and NHS Scotland have assured themselves that they have taken every necessary measure to protect our privacy during this. They may very well have asked and answered those questions, in which case there is no reason to delay showing the public their working.

Doing so will bring confidence that in the event we give the details of our contacts to NHS Scotland’s contact tracing team through the webtool, that those details will be treated with discretion, that they will not be used for any other purpose than for contact tracing. The First Minister has said as much this week. Its time to close any lingering gaps and publish the proof of this commitment to privacy.

Sign up to receive updates from org Scotland

Stay in the loop on the digital rights issues in Scotland

Join the Mailing List