Coronavirus: can we keep track of our sensitive data?
The current crisis has prompted an openness to sharing information and a willingness to forego some of the usual restrictions on doing so – even with commercial entities. PublicTechnology examines the current climate, including two major public-private collaborations, and what it means for personal data, now and in the future
Credit: Alberto Pezzali/NurPhoto/PA Images
For many public sector digital and data professionals, improving the sharing of information between organisations has long been something of an immovable object, standing in the face of the disappointingly resistible force of transformation.
Despite numerous initiatives designed to improve data-sharing, as well as the support for doing so provided by the 2017 introduction of the Digital Economy Act, barriers – whether cultural, technical, ethical, or legal – seem to have remained in place.
But a lot about the structures and practices of the world we live in has changed rapidly and profoundly in the last month or so. The systems governing the public sector’s use of data is an excellent exemplar of this.
As all public service providers respond to the coronavirus crisis, a clear edict seems to have come from the very top of government and the NHS: share data.
As rapidly as you can, and with whomever you deem necessary. And you need not fear the consequences.
The ease and speed with which councils, government departments, and NHS trusts are now sharing data – or at least are empowered to – with one another and with partners in the private sector, will be seen by many as a positive development that is long overdue.
But these are extraordinary circumstances.
While it is understandable that, for the time being, the usual ways of doing things are being thrown out or vastly remodelled, privacy and data protection advocates will be worried that the extraordinary will become the new ordinary.
The checks and balances that typically govern the distribution of citizen data no doubt carry a lot less weight when balanced against the need to respond to a deadly global pandemic that threatens to overwhelm the health service and claim hundreds and thousands of lives.
But many will be concerned as to whether the due diligence of before will return – not to mention what might happen to our sensitive data in the meantime, during the rush to share it with anyone it is believed might prove helpful in combatting coronavirus.
A long-standing and enthusiastic advocate of technology and digital transformation, the health and social care secretary Matt Hancock has set the tone for the new and open approach to data sharing.
"In the thick of everything, I have still heard colleagues cite the importance of protecting confidentiality. Practical steps are also being taken to ensure that trust is not undermined."
Dame Fiona Caldicott, National Data Guardian
Hancock last month issued a set of emergency notifications instructing all national and local NHS entities, arm’s-length bodies, and local authorities to share confidential patient data. The six-month order, which could be extended beyond the 30 September cut-off, effectively clears the way for the sharing of any patient data with any relevant organisation, providing the purpose of doing so is solely to support the Covid-19 response.
The health secretary fronted the announcement of a partnership between the NHS, charity the Royal Voluntary Service, and GoodSAM – a small, London-based app developer that has been tasked with the delivering the technical elements of NHS Volunteer Responder initiative.
The government hoped the programme would recruit 250,000 citizens willing to perform tasks such as delivering medicines, driving people to medical appointments, and talking to isolated people on the phone.
This target was hit within 24 hours and, by the time recruitment was paused on 29 March, some 750,000 had put themselves forward.
GoodSAM was founded in 2013 and its main product is an app that can be downloaded by medical professionals, who are then alerted when an emergency happens nearby.
This technology has been adapted for the coronavirus volunteer scheme. Local health agencies able to refer requests for support, which are then assigned to registered volunteers in the area, who are alerted via their phone.
As of earlier this week, a reported daily total of 1,250 people were being helped via the scheme, according to a piece for Forbes by transport journalist Carlton Reid – one of the many volunteers who was still waiting for his first assignment.
The comparatively sluggish pace of the rollout has been attributed to the need to manually process each application which, for some tasks, requires volunteers to have been through a full DBS check. This process is being undertaken by the RVS.
GoodSAM founder professor Mark Wilson told Forbes that his firm had needed to deliver “a significant increase in server capacity” to meet the current demands being placed on a company that, according to its website, had signed up 40,000 volunteers to its emergency responder app during the firm’ first seven years in existence.
Number of registrants for Zoe's Covid Symptom Checker app
Number of specified third parties with whom users agree their data will be shared with or processed by, including 11 universities or public-health agencies, and 13 tech and marketing firms
Number of NHS volunteers signed up at the time recruitment was paused
Length of emergency order from health secretary Matt Hancock under which public bodies are instructed to share confidential data
A spokesperson for the firm told PublicTechnology that: “GoodSAM is always investing as necessary as the platform grows.”
They added that the app developer’s infrastructure has coped well so far.
“We handled 4,000 applications per second at the peak, on boarding three quarters of a million people over three days with no interruption in service,” they said.
According to the terms and conditions volunteers sign up to, all personal information gathered in the programme will be stored on GoodSAM’s servers – although the company will only act as a processor of the data. The controller of the data will always be either NHS England or the Royal Voluntary Service.
PublicTechnology asked the NHS why such responsibilities have been given to GoodSAM and not, for example, NHS Digital, and what data-protection assurances have been sought and provided, but did not receive a response.
The GoodSAM representative told us that its data protection set-up “meets required standards and has been tested accordingly”.
They added: “Data will only be used for volunteering. Volunteers registering on the GoodSAM platform will be offered the options of leaving the platform – and removing their data – or staying on the platform as they wish when the NHS volunteering programme is over.”
Another major data-gathering collaboration between the public and private sectors is the Covid Symptom Tracker app, which is built on technology from Zoe – a “nutritional science” company that offers a free smartphone app designed to provide users with personalised advice on how “optimise their metabolism”.
The rollout of the symptom-tracker app has seen the company team up with the National Institute for Health Research, Guys and St Thomas’ Biomedical Research Centre, and King’s College London – for whom Zoe co-founder Dr Tim Spector also works as a professor of genetic epidemiology.
The app asks users to provide daily updates on their symptoms, to help researchers track and better understand the virus. A total of two million people have so far downloaded it and provided information on their year of birth, height, weight, post code, email address, details of symptoms, and, optionally, their assigned sex at birth.
This, the policy adds, includes users’ sensitive personal information. Although, for any entities other than the NHS and King’s College London, personal details will be replaced with “an anonymous code” before data is shared.
The policy also requires users to agree for their data – both sensitive and non-sensitive – to be processed by a wide range of third-party commercial entities, including: Amazon Web Services; Google Cloud Platform; SurveyMonkey; Segment; Google Analytics; Mixpanel; Google G-Suite; MailChimp; Mailgun; Intercom; Sentry; Google Firebase; and SwiftyBeaver.
In response to enquiries from PublicTechnology a Zoe representative indicated that the use of cloud-storage platforms such as AWS is commonplace among all businesses, and that analytics tools are required by the data scientists working on the project – particularly given the current need for everyone to work remotely.
When further asked about the stipulation that sensitive data can be processed by the various sales and marketing platforms listed – such as Mailchimp and Mailgun – as well as the fact the priavyc policy requires users to consent to being contacted about “similar apps we may have in the future”, Zoe indicated that this part of the policy related to the email capture box on the company’s website, for which it said 50,000 people have registered to receive optional updates.
After an exchange of emails, our final question was whether this the company could categorically state that the data of the two million registrants for the symptom tracker app would never be used for marketing.
Zoe responded: “All data from users in the app will be used for non-commercial purposes.”
There are already numerous smaller and more localised examples of similar initiatives to gather or share data between public sector entities, or with commercial third parties.
For its part, the Information Commissioner’s Office was quick to announce that it would be pursuing a “pragmatic” approach to its role as data-protection watchdog, and would not be taking any regulatory action against agencies responding to the coronavirus.
The regulator has set up an online hub providing guidance on the use of data during the current crisis. It has also indicated that it will keep a keen eye on issues arising from the pandemic – such as concerns raised over the security of Zoom and other videoconferencing apps.
"Data will only be used for volunteering. Volunteers registering on the GoodSAM platform will be offered the options of leaving the platform – and removing their data – or staying on the platform as they wish when the NHS volunteering programme is over"
A spokesperson said: “Data protection law enables organisations to share personal data when it is appropriate to do so. In a national emergency such as the Covid-19 pandemic, sharing information between organisations can make a real difference to protecting vulnerable individuals.”
The National Data Guardian Dame Fiona Caldicott – herself a former NHS doctor – published an update last week in which she claimed that, across the board, the public sector’s response to coronavirus is being “shored up by the power of data”.
She saluted the speed and efficacy with which information is being moved around, as well as the extent to which the UK’s “information governance framework is able to flex in a time of public health emergency to serve as an enabler to the rapid sharing of information while maintaining proportionate safeguards”.
Caldicott said: “It is with gratitude that, in the thick of everything, I have still heard colleagues cite the importance of protecting confidentiality. Practical steps are also being taken to ensure that trust is not undermined. For example, my panel and I have been pleased this week to support NHSX with the drafting of a template privacy notice, which will be sent out to NHS organisations next week to support them to tell patients and service users about what might be different in the handling of their health and care data during the outbreak.
“It is heartening to note that even at this unprecedented crisis, trust and confidentiality still matter.”
Half the population believe they have been exposed to misinformation during the coronavirus pandemic and want to see more official TV ads
Head of statistics watchdog tells health secretary ‘it is not surprising data is widely criticised and mistrusted’
Cabinet Office advertises for cross-government positions
PHE also reveals outsourcers Serco and Sitel will process sensitive information and claims length of retention is ‘because Covid-19 is a new disease’
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
CyberArk's John Hurst looks at the true cost of GDPR breaches