Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Eerke Boiten Profile picture
Eerke Boiten
@EerkeBoiten
Prof Cyber, ACE-CSR @dmu_cybertech, Head of School CSI @dmuleicester. Security, privacy, data protection. Jumped queue 1995. He/him. All views personal.

May 18, 2021, 20 tweets

Remember how the NHS App was going to become our vaccine passport, as of yesterday? It turns out I was massively confused (or misled if you like) about its privacy notice, data controller, etcetera. This is because there are NOW 2 similar features on the app.

On Sunday, I saw the "Check your COVID-19 vaccine status" feature appear, and thought it looked encouraging. See tweets - controller NHS Digital, can't be used by others, can't be used for work, etc etc, and an acceptable privacy policy.

BUT

Today's app update shows that is NOT the vaccination passport. We now have a new feature
"Share your COVID-19 status"
which is, has a different controller, uses far more data, and is collecting a large amount of sensitive and identifying data it claims it doesn't need.

This one is owned by the Department of Health and Social Care, not NHS Digital (but it still only works for England).

Its purpose is NOT just international travel (which I supported generally), but the broader "unlocking", which has all sorts of surveillance and inequality impacts.

And then the data it collects. Starts out with what you'd reasonably expect (forget bottom right for now):

Then the shockers. Vehicle plate, NI number, employer, education, info on family and lifestyle, ethnic origin, biometric and genetic for identification, crime - most of them not "Used in certificate".
Is this creating the unified people database for UK government?

Lawful bases: 6(1)(g) 9(2)(g)(h)(i).

Still no DPIA. This is an outrage. I can foresee circumstances in which I need to make international travel, but until then I won't use this.

Maybe it was naive to believe all the sounds from UK government, that they were going to limit vaccination passports to international travel, that they were cautious about the whole thing. We now know otherwise. DHSC has taken it out of the hands of the NHS, expect abuse.

Found the offending privacy policy/notice (app uses interchangeably) for the vaccination passport online now: covid-status.service.nhsx.nhs.uk/help/privacy-n…

If you came here out of interest in UK data grabs and medical data and lack of DPIAs, may I refer you to this: all GP data to be uploaded to a central database unless you use a prehistoric opt-out.

Important response from @NHSuk

Now this as a full story in @ConversationUK. theconversation.com/nhs-vaccine-pa… - including my latest view on the irrelevant sensitive data following also @NHSuk tweet above: probably a copy-paste error, but that reveals their attitude to privacy.

In summary, I don't think that this is about creating a large evil database. Even if the identification dimension of Covid passports would encourage such.

There is, however, a large and obscurely managed database created in response to Covid. theconversation.com/why-we-need-to…

Source of copypasta found: . Giveaway mutant gene: biometric and genomic as a single item.

Update: the seemingly irrelevant but highly sensitive data items have now been removed from the privacy notice at covid-status.service.nhsx.nhs.uk/help/privacy-n… as well as on the app.

So, two days on, this thread interacted with over 300,000 times, one of the issues it raises (bizarre mention of irrelevant sensitive data) now resolved, but people still citing this thread as evidence of government evil data plans, including people with worrying views on Covid.

Would it be responsible for me to delete the thread now? On balance, no. Hope people read to the end. A few issues raised remain: the open-ended use of the passport that would be for international travel only. The lack of a DPIA on large scale processing of health data.

That last point, lack of DPIA, relates closely to the lasting damage of the (now fixed) sloppy errors in the privacy notice, and the lack of substantive DPIA for the data store. It tells the world they see privacy (and broader: rights impact assessment) as a compliance add-on.

Just to be clear. I am going to get my 2nd vaccination today and I am still wearing masks in public all the time. Lockdown makes sense, and Covid is real.

The UK government is after all your data and has some really dodgy connections. That's my single conspiracy theory.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling