The NHSX App DPIA has been quietly updated to include the register of risks that was not present upon release. I think their assessment (everything is low/medium risk max) is incomplete and contentious, but will let you decide. Thread 1/n
Here is the risk scoring matrix NHS England use. Red, Amber, Green. Findings of high risk (I expect A/R and above) have legal consequences of requiring Prior Consultation of the ICO under Article 36. 
NHSX state that malicious or hyperchondriac self-reporting, with the consequence of causing self-isolation of a target, is of 'medium' impact and is 'possible'. Personally, I think it's hard to imagine risks to rights or freedoms of higher impact than quarantine.
NHSX state that how ppls who do not come into contact with more than a few other would be able to find out who infected them is 'possible' but of low impact. Bear in mind they consider this information that would be revealed 'confidential patient information' under the COPI Regs.
They omit to analyse that it is q easy to make a modified version of an app which becomes a COVID-19 detector: this risk is a real one. This is an inherent risk of centralised and decentralised systems. Here's how you do it: (from github.com/DP-3T/document…)
For the French, the common risk of identifying neighbours is seen as so great (there are two ways to do it in decentralised systems, one in centralised) is sold as a prime reason for going it alone with centralisation. Blog from Minister: medium.com/@cedric.o/stop…
It is quite strange that the UK's 'solution' to this risk is to tell the Secretary of State about it.
NHSX interestingly state that the existence of public debate or discussion about what system an entire country should install is a data protection risk *higher than the fact that a neighbour could rig a system to find out your infected status*. You can judge that yourself.
You may find it bizarre that the fact that a decentralised contact tracing model the Information Commissioner officially stated is aligned with the concept of data protection by design exists and is being talked about is a data protection risk. I do. ico.org.uk/media/about-th…
As I noted in DPIA analysis, NHSX plan to deny all user-triggered data rights (access, erasure), by simply not lett you send your ID (technically, very easy to do). They say while denying data rights is 'high risk', likelihood is 'rare'. Yet they plan to do it 100% of the time?
I am unable to square that circle. The risk of denying data rights to everyone is a high risk. The right of access is a *fundamental right* under the Charter, which currently applies to the UK. How can denying to 100% of people be 'rare'?
There are others, but let's turn to some that are missing from their risk register.
Running the NHSX App breaks protections in almost all mobile phones which prevent persistent Bluetooth tracking, by having an identifier that only changes every day. This allows anyone at all to track any user around using Bluetooth sensors within a day. github.com/nhsx/COVID-19-…
People with an antennae can drive round different roads and send out bluetooth identifiers using rotating accounts. This allows them to build up a heatmap of 'infected streets'. (p.8-9, here github.com/DP-3T/document…)
If you think adoption risk is a data protection risk, as they do, then NHSX should likely address the risk their system will not be interoperable with other countries (although in their defence, this would not apply to the Isle of Wight trial)
People could use the self-reporting feature on their phones to keep individuals trapped in abusive relationships under lockdown, exacerbating domestic violence and abuse.
Cheaper and older phones (e.g. Androids lower than 8, which I believe do not support the NHSX App) are disproportionately owned by marginalised groups, putting them at risk. Blackspots could emerge in poorer communities.
They do not mention the compatibility issues with iPhones and Androids, or the battery usage issues that could harm accuracy in crowds.
Other risks I previously highlighted. This is a non-exhaustive list. I am of the belief that several of the risks here and above would at least be Amber/Red. If not... what exactly is a red risk? Is it a fiction? Do red risks exist?
Note: a 'red' (high) risk does not mean the whole system is illegal! It means NHSX must officially talk to the regulator under Article 36. Fairly analysing risks does not mean this system isn't possible to make lawful (although there may be other barriers to lawfulness).
The risk register is here: faq.covid19.nhs.uk/20200505a%20DP…
The amended version of the DPIA which unredacts it is here: faq.covid19.nhs.uk/DPIA%20COVID-1…
My analysis of the DPIA is here: doi.org/10.31228/osf.i…
The amended version of the DPIA which unredacts it is here: faq.covid19.nhs.uk/DPIA%20COVID-1…
My analysis of the DPIA is here: doi.org/10.31228/osf.i…
