Profile picture
, 15 tweets, 4 min read
My Authors
Read all threads
I've analysed the data protection impact assessment for the NHSX Isle of Wight App trial. It indicates very significant legal flaws. The paper I have written on it can be found here: osf.io/preprints/lawa…. I'll go through the main ones in this thread 1/n
1: The DPIA reads like a fight between PR folk wanting to say it is anonymous, and data protection folk needing to say legally, it is not. DPIAs are no place for PR. This data is not anonymous.
Here are three easy scenarios that show this data is really not anonymous (let alone the fact that it cannot be anonymous data in data protection law if there is a unique device identifier involved).
2: The DPIA states collecting personal data is always done voluntarily. It does not properly admit that this is not true: by design, the NHSX app works by other people uploading information about you, including third parties you were coloacted with.
3: The DPIA states there is no systematic monitoring of a publicly accessible area on a large scale (GDPR art 35(3)(c)). Every citizen is turned into a sensor. Evidence to Parliament talks about postcodes and hotspots. This needs to change.
4: The DPIA states that users will not be deprived of their data rights. But it then goes on to explain how they will. You will not be permitted access to your data because the app will not let you see your 'Sonar ID', and therefore they cannot find you in the database.
There is literally no reason for this. You emit data through Bluetooth all the time that NHSX will be able to reverse into your Sonar ID - this is not secret, or sensitive. It violated data protection by design, which obliges building in data rights, not designing them out.
5: NHSX also deny the right to erasure of data on the server, and do not provide a lawful basis on which this blanket refusal is occuring. You cannot refuse data deletion without a reason.
6: The right to object is missing, and they do not mention it once, despite it specifically applying to the lawful basis that NHSX are using (art 6(1)(e)).
7: There is no valid lawful basis laid out for automated decision-making. The COPI Regulations they rely on do not work for this: they authorise processing, not decision-making, and they are different thigns. There are other mistakes that relate to this.
8: The logic of the algorithmic systems and risk scores is embedded in a PDF in a Word file, which is turned into a PDF. You can't open it any more. It has to be provided under Article 13, by law.
9: NHSX state they are only 'briefing' the ICO, but given the nature of the inherent risks to their system, which cannot be fully mitigated, they need to engage in a process called Prior Notification (article 36, GDPR). They do not appear to be doing this from the DPIA.
10: It is unclear how they deal with ePrivacy law, and unclear if the trackers in the app are legal to use given this law.
NB: I could not analyse the risks, they are *all redacted*. There is no analysis possible of benefits/risks, nor any part of the DPIA that allows/tries comparison with other approaches to the same purposes. That's what a DPIA is for, and this public version fails on that front.
The DPIA is available here: faq.covid19.nhs.uk/DPIA%20COVID-1…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Michael Veale

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @mikarv see all

Profile picture
Michael Veale
@mikarv
Let’s go through Matt Hancock’s letter to @HarrietHarman @HumanRightsCtte on the NHSX app and take a closer look at some of these statements 1/
While any data collected *by* the user’s smartphone will not be shared, in centralised systems, other people share your identifiable data. All your broadcasts look like the same single device ID to the Gov. Other people upload their contacts with you, without consent.
In decentralised system, data observed abt others NEVER leaves ANYONE’S phone, ever. The reason Hancock can say data never leaves your device without your consent is because it doesn’t need to — it leaves the phone of people who have seen you, without your consent instead!
Read 11 tweets
Profile picture
Michael Veale
@mikarv
The Register has a very technically savvy long-read headlined simply: “UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal” theregister.co.uk/AMP/2020/05/05…
Basically they highlight the way iPhones will “work” when locked in the NHS system; they, uh, won’t, unless they are near either an Android or someone with their iPhone which is unlocked, screen on, app foregrounded.
The takeaway: Two people who have their iPhones locked in their pockets will not register as contacts with each other. A room of people with iPhones locked in their pockets will not register with each other unless someone with an Android is in the room.
Read 5 tweets
Profile picture
Michael Veale
@mikarv
You can say it is protected.
You can say it takes effort to link to an individual person.
But databases of contact data connected to device IDs, such as that in the UK NHSX app, are *unambiguously* not anonymous data under UK law.
It was said such data are anonymous in the press briefing yesterday.
Unless you redefine the word for your conversation to not relate to UK law — which as that government you should not do — this is an untruth.
It is not a legal grey area. It quite literally is explicitly clarified in UK law that device identifiers are personal data. This clarification isn’t even needed to come to the conclusion above — the law is so clear it is easily arguable without it.
Read 5 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!