The UK government announced in early April that it was developing a contact tracing app as a way to facilitate a faster exit from lockdown and stop the spread of Covid-19. The app was originally projected to be rolled out by mid-May, but the date was pushed back and the app’s development came increasingly under fire due to the pernicious privacy and human rights risks that come with any government-sanctioned data collection. These issues, combined with technical limitation that threatened even basic usability, have resulted in the government scrapping the app on the 18th of June. This article seeks to illustrate the technical and ethical concerns that have led to this decision, and where the UK finds itself now that no clear path forward on digital contact tracing exists.

How did the app work?

The now defunct tracing app was developed by NHSX, the digital arm of the NHS, and worked using Bluetooth Low Energy proximity tracing.

When turned on, the device would broadcast a unique identifier via Bluetooth. This identifier consisted of a random string of digits that did not include any identifying personal information. The app then exchanged one device’s identifier with another device’s identifier. A list of other devices encountered by a user would be stored on the phone for 28 days, after which it would be deleted.

The NHSX app had limited functionality. The most its users could do was report their Covid-19 symptoms. After a user did so, the system behind the app determined, through the use of a risk algorithm, whether to notify the owners of devices whose identifiers were stored in that user’s phone.

What Data did the app collect?

The government and NHS stressed that the app would not collect personal information that could identify the user. Upon download, a user would only be asked to enter the first half of their postcode. Officials claimed that this requirement allowed the NHS to track the spread of coronavirus by region.[1] The app also recorded the user’s phone model and the device’s Bluetooth usage, such as for how long it was in proximity to another device, and how strong the signal was between the devices.[2]

Personal data was only required if a person reported that they had symptoms and needed to be tested. The information requested at that point was extensive, as proper treatment and tracing of the disease required users and their contacts to be identified.

Centralised vs Decentralised

There have been two main models of contact tracing app: centralised and decentralised. The difference lies in how user data is processed and stored.

After testing positive in a decentralised system, a user’s identifier is uploaded to a server which then broadcasts the identifier to all of the phones running the app. If there is a match between identifiers, the users of the relevant devices are alerted that they may have come in contact with an infected person. The central server does not store information on users; all processing and storage are done on-device. By contrast, in a centralised model, a user’s proximity contacts are uploaded to a central database, where the matches are processed and then sent from that central server to the matched devices. The data on device ‘matches’ remains in the central database after alerting other users.

The NHSX app followed the centralised model. This contravened the Information Commissioner’s Office (ICO) guidance that the decentralised model is preferable from a privacy standpoint.[3] The argument offered in favour of the centralised model was that data collection would allow the NHS to track trends and identify patterns in the transmission of the virus.[4] This system was also said to offer greater specificity in who was contacted after a positive diagnosis, allowing for a more targeted approach and fewer false positives.[5]

The government plans to shift to a decentralised model that it has been developing concurrently with the NHSX app since early June.[6] The recent pivot is noteworthy because of the government’s previously rejection of a decentralised approach, a decision that created many of the technical issues that ultimately sank the NHSX app.[7]

Technical Issues

As the two largest digital storefront operators, both Apple and Google are able to restrict how apps can access Bluetooth on devices through app permissions. iOS and Android do not allow developers to constantly broadcast Bluetooth signals in the way the NHSX app required.[8] iOS apps can only send Bluetooth signals when the app is running in the foreground, and the latest versions of Android have similar restrictions. Apple and Google rewrote these rules for their own contact-tracing API, a toolkit that could be used by governments developing domestic contact tracing systems, but both companies would only allow use of this API for the development of decentralised apps due to privacy concerns.[9]

The UK government implied it had found a workaround for these technical issues, but there was little transparency on what this workaround was, and it ultimately failed to make the app functional.[10] During the trial on the Isle of Wight, the NHSX app only recognised 4% of Apple phones and 75% of Google Android devices, making it entirely ineffective at accurately assessing contact between users. In contrast, the Apple-Google model detected 99% of Android and iPhone devices, but had weaker distance calculations.[11]

The issue of Bluetooth reliability in location tracking has been a persistent challenge under both the centralised and decentralised models. Different settings can amplify the signal, and even at its lowest, a Bluetooth signal is further than the 2m distance said to prevent coronavirus spread.[12] Additionally, radio proximity is not spatial proximity. People in neighbouring flats who never interact can become false positives because Bluetooth signals can pass through walls.[13] All of these issues together can render Bluetooth useless for accurate proximity assessments, but the lesser privacy issues of a decentralised model make even imperfect use less risky.

Finally, there is also the issue of digital exclusion: those who are the most vulnerable to the disease, e.g. pensioners, are also those who are the least likely to own an app-compatible smartphone, leading to a situation where adopters are those who are least at risk.[14]

Privacy and Data Protection

Privacy issues have also been reported as a reason for the switch from the NHSX app to the new future decentralised one. However, there has been little discussion as to what these risks actually were.

The first risk comes as a built-in issue of a centralised system. As a centralised database works on the basis of proximity mapping, it will eventually gather data on clusters of individual relationships: family, friends, employees, etc. This makes the data incredibly sensitive, as it can create a map of interactions between users that is easily exploitable by governments when implementing invasive policies.

The second risk is that the operators of a centralised system will be able to see a persistent connection between device identifiers and the individuals they represent. The data in the central database is only pseudo-anonymous. It is capable of revealing an individual’s identity as it is always linked to the identifiers generated by a user’s phone and any self-reported personal information.[15] This means that anyone in control of the database could persistently track an individual once they’ve connected an identifier to them.

Finally, with self-reporting apps, there is also scope for misuse, the consequences of which could be 14 days of unnecessary isolation if a user is fraudulently notified that they have been in contact with an infected individual. ‘Hard registration’ is the only real way to allow for consequences against those who misreport. It is therefore very possible that over time more information will be required of users, creating mission creep, with an app slowly being altered to meet other governmental aims.[16]

These issues are typically addressed in a Data Protection Impact Assessment (DPIA). A DPIA must be completed by the UK government before it processes personal information if said processing is likely to result in a high risk to individual rights and freedoms.[17] DPIAs are a core part of proving an organisation’s compliance with GDPR Article 35,[18] yet the UK government failed to complete one before launching the general Test and Trace system on the 28th of May.[19] A DPIA on the app trial on the Isle of Wight was made available,[20] but the accuracy and validity of the government’s self-assessment of risks were then called into question by academics,[21] who argued that multiple privacy issues were sufficiently serious for Article 36 to be triggered and require a consultation to be performed by the ICO. The ICO disagreed;[22] however, its impartiality had already been called into question during a meeting of the Joint Committee on Human Rights.[23]

Concerns over data protection and privacy in relation to the NHSX app were such that the Joint Committee submitted a private member’s bill to enshrine further protections for the data collected.[24] The government declined to adopt the bill, claiming that the extra protection was unnecessary.[25] A second bill was later put forward by experts in data privacy law.[26] It was also rejected.

The app’s compliance with the GDPR was also called into question. Notably, there was a fear that Article 17 of the regulation, the “right to be forgotten”, was infringed upon. The personal information of anyone who tested positive after responding on the app was to be stored for the GDPR maximum of 20 years, and anyone in contact with a positive person who later tested negative was to have their data stored for five years.[27] There was no way for this data to be deleted.[28] The lawful basis for this policy was always unclear, and the government’s justification conflicted with Article 9 GDPR provisions for the retention of special category data.[29] The same issues arose in relation to the GDPR’s rights of access (Article 15) and objection (Article 21).[30] It is worth noting that the centralised tracking app in Singapore allowed and continues to allow data deletion at the user’s request.[31]

In the absence of legal protection, the UK government left the public with assurances that the data collected through the NHSX app would stay in the right hands. However, the fact that de-anonymised data was to only be visible to public health bodies rang hollow in light of the DeepMind scandal, where the relevant NHS Foundation trust released sensitive information on 1.6 million patients to Google without their consent.[32] Additionally, it was pointed out that the fact the NHS and Department of Health acted as sole data controllers under either the Data Protection Act 2018 or the GDPR did not stop other agencies from accessing the data under normal government data-sharing rules or under the Investigatory Powers Act 2016. This was of particular concern, given the past use of NHS patient data for immigration enforcement by the Home Office.[33] Hard legal limits would have needed to be imposed to ensure that the data is only accessible by proper parties for research purposes.

Human Rights and Proportionality

ECHR rights were also at risk of infringement by the NHSX app. Article 8, the right to privacy, was the most discussed for obvious reasons, however there were also issues of discrimination under Article 14, such as the risk of Home Office access and the risk of identification of stigmatised groups.[34]

Even under a decentralised model, individuals could be required to produce or download the app in certain contexts, such as that of employment. Though the app could be non-compulsory per government policy, there is still the risk of a discriminatory effect against those who cannot or will not download it. This risk could be mitigated by the introduction of legislation prohibiting employers or service providers from requesting individuals to produce the app; however, given the government’s refusal to create legislation for the NHSX app, any new app will likely face a similar treatment.

Any centralised European contact tracing system runs the risk of legal challenge on human rights grounds due to the use of automatic decision making, this being the use of a risk algorithm in contacting matches in the central database. This form of decision making can constitute an infringement of both Article 8 of the ECHR and of Article 22 of the GDPR. With regard to the former, the chances of success are unclear – while the Court found that a similar automatic decision making system violated Article 8 in S and Marper, that case also involved a prevention of crime element that is not currently present. Moreover, given the lack of Member State consensus in the response to coronavirus, it is likely that Member States adopting a centralised approach would gain a greater margin of appreciation than usual, making the finding of a violation unlikely on Article 8 grounds.

With regard to the GDPR, Article 22 disallows the use of automatic decision making without sufficient legal authorisation by a Member State and without suitable measures to safeguard data subjects’ right, freedoms and legitimate interests. The legal authorisation by the UK government in the case of the NHSX app was unclear, and the privacy concerns and failure to complete a timely and detailed DPIA both called into question if suitable measures have been considered.[35] This risk of running afoul of the GDPR was likely a significant consideration when deciding to scrap the app.

Conclusion

When considering these issues together, the Ada Lovelace Institute found that the significant technical limitations and social risks of any form of digital contact tracing outweighed the value offered, and that extensive work would be required to overcome these issues and justify any rollout.[36] Furthermore, a lack of testing capacity and lack of methods to verify immunity call into question whether user data can be used effectively in any iteration of a tracing app.[37]

The final question now is where all of this leaves the UK in regard to digital contact tracing. Any new app is unlikely to be released before the winter (if at all)[38], and the UK government seems more inclined to push blame onto Apple rather than provide a roadmap for future development.[39]

More so than any of the issues inherent to the app, the NHSX app’s failure comes as a result of hubris. The UK government was overconfident in believing it could avoid technical challenges under a centralised system and in not being challenged on the legal and ethical issues of the app. Development was then managed chaotically and any attempts to course correct failed. The result was overspending, and worse yet, wasted time and lost lives.

Bibliography

Google DeepMind 1.6m patient record deal ‘inappropriate’’ (The Guardian, 16 May 2017) [Online] <https://www.theguardian.com/technology/2017/may/16/google-deepmind-16m-patient-record-deal-inappropriate-data-guardian-royal-free> Accessed 14 June 2020

Ada Lovelace Institute, ‘Exit through the App Store? Should the UK Government use technology to transition from the COVID-19 global public health crisis’ (20 April 2020) [Online] <https://www.adalovelaceinstitute.org/exit-through-the-app-store-how-the-uk-government-should-use-technology-to-transition-from-the-covid-19-global-public-health-crisis/> Accessed 13/06/2020

3. C Hall, ‘No Data Protection Impact Assessment Conducted on Coronavirus Test and Trace’ (11 June 2020) [Online] <https://www.vwv.co.uk/news-and-events/blog/information-law-brief/coronavirus-test-trace-data-protection> Accessed 13/06/2020

4. Fraser Group, ‘Digital contact tracing can slow or even stop coronavirus transmission and ease us out of lockdown’ (16 April 2020) [Online] <https://www.research.ox.ac.uk/Article/2020-04-16-digital-contact-tracing-can-slow-or-even-stop-coronavirus-transmission-and-ease-us-out-of-lockdown> Accessed 12/06/2020

5. Fraser Group, ‘The UK prepares for national launch of COVID-19 digital contact tracing app with the help of Oxford Scientists’ (26 May 2020) [Online] <https://www.coronavirus-fraser-group.org/for-media> Accessed 13/06/2020

6. I Levy, ‘The security behind the NHS contact tracing app’ (4 May 2020) [Online] <https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app> Accessed 13/06/2020

7. ICO, ‘COVID-19 Contact tracing: data protection expectations on app development’ (4 May 2020) [Online] <https://ico.org.uk/media/for-organisations/documents/2617676/ico-contact-tracing-recommendations.pdf> Accessed 13/06/2020

8. ICO, ‘Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app’ (7 May 2020) [Online] <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/05/dpia-for-the-nhsx-s-trial-of-contact-tracing-app/> Accessed 12/06/2020

9.  Bay and others, ‘BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders’ (9 April 2020) [Online] <https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf> Accessed 13/06/2020

10. J Vincent, ‘Without Apple and Google, the UK’s contact-tracing app is in trouble’ (The Verge, 5 May 2020) [online] <https://www.theverge.com/2020/5/5/21248288/uk-covid-19-contact-tracing-app-bluetooth-restrictions-apple-google> Accessed 13/06/2020

11. J Wareham, ‘U.K. Contact Tracing App Could Endanger LGBT Human Rights, Minorities Warned’ (Forbes, 24 May 2020) [Online] <https://www.forbes.com/sites/jamiewareham/2020/05/21/uk-nhs-contact-tracing-app-could-endanger-human-rights-lgbt-and-minorities-warned Accessed 14/06/2020> Accessed 14/06/2020

12. L Edwards and others, ‘The Coronavirus (safeguards) Bill 2020: Proposed Protections for Digital Interventions and in Relation to Immunity Certificates’ (13 April 2020) <osf.io/preprints/lawarxiv/yc6xu> Accessed 13/06/2020

13. L Kelion, ‘Coronavirus: Ministers consider NHS contact-tracing app rethink’ (BBC, 11 June 2020) [Online] <https://www.bbc.co.uk/news/technology-52995881 Accessed 12/06/2020> Accessed 13/06/2020

14. L Kelion, ‘NHS rejects Apple-Google coronavirus app plan’ (BBC, 27 April 2020) [Online] <https://www.bbc.co.uk/news/technology-52441428> Accessed 09/06/2020

15. L Kelion, ‘UK virus-tracing app switches to Apple-Google model (BBC, 18 June 2020) [Online] <https://www.bbc.co.uk/news/technology-53095336> Accessed 24/06/2020

16. Letter from Rt Hon Harriet Harman MP to Rt Hon Matt Hancock MP, (29 May 2020) [Online] <https://committees.parliament.uk/publications/1284/documents/11453/default/> Accessed 13/06/2020

17. Letter from Rt Hon Jacob Rees-Mogg to Rt Hon Harriet Harman, (28 May 2020) [Online] <https://committees.parliament.uk/publications/1283/documents/11444/default/> Accessed 13/06/2020

18. M Burgess, ‘Everything you need to know about the NHS test, track and trace app’ (Wired, 11 June 2020) [online] <https://www.wired.co.uk/article/nhs-covid-19-tracking-app-contact-tracing> Accessed 14/06/2020

19. M Field, ‘Contact-tracing app will not be ready until winter, admits health minister’ (The Telegraph, 17 June 2020) [Online] <https://www.telegraph.co.uk/technology/2020/06/17/contact-tracing-app-will-not-ready-winter-admits-health-minister/> Accessed 25 June 2020

20. M Veale, ‘Analysis of the NHSX Contact Tracing App ‘isle of Wight’ Data Protection Impact Assessment’ (9 May 2020) <osf.io/preprints/lawarxiv/6fvgh> Accessed 12/06/2020

21. NHS, ‘Data Protection Impact Assessment NHS COVID-19 App PILOT LIVE RELEASE Isle of Wight’ (6 May 2020) [Online] <https://faq.covid19.nhs.uk/DPIA%20COVID-19%20App%20PILOT%20LIVE%20RELEASE%20Isle%20of%20Wight%20Version%201.0.pdf> Accessed 13/06/2020

22. NHS, ‘NHS Test and Trace Privacy Information’ (9 June 2020) <https://contact-tracing.phe.gov.uk/help/privacy-notice> Accessed 14/06/2020

23. NHSX, ‘COVID-19-app-Android-BETA’ (6 May 2020) [Online] <https://github.com/nhsx/COVID-19-app-Android-BETA?fbclid=IwAR2gUq85CNlVFdE8OZz6uMVCi5RbWwyegnZenUMYULbJQFeaW0TQHNxY4nI> Accessed 14/06/2020

24. NHSX, ‘COVID-19-app-iOS-BETA’ (6 May 2020) [Online] <https://github.com/nhsx/COVID-19-app-iOS-BETA?fbclid=IwAR161w8xn8DvWUGowHQErsUzcrIgQuyJPuJJoVw0BggEKXgsFQ9708Wdxs4> Accessed 14/06/2020

25. O Bowcott, ‘Home Office scraps scheme that used NHS data to track migrants’ (The Guardian, 12 November 2018) [Online] <https://www.theguardian.com/society/2018/nov/12/home-office-scraps-scheme-that-used-nhs-data-to-track-migrants Accessed 14/06/2020> Accessed 14/06/2020

26. Oral evidence from Elizabeth Denham to the Joint Committee on Human Rights, HC265 (4 May 2020) [Online] < https://committees.parliament.uk/oralevidence/333/html/> Accessed 12/06/2020

27. Oral evidence from Matthew Gould to the Joint Committee on Human Rights, HC265 (4 May 2020) [Online] < https://committees.parliament.uk/oralevidence/333/html/> Accessed 12/06/2020

28. P Howell O’Neill, ‘No, coronavirus apps don’t need 60% adoption to be effective’ (Technology Review, 5 June 2020) [Online] <https://www.technologyreview.com/2020/06/05/1002775/covid-apps-effective-at-less-than-60-percent-download/> Accessed 13/06/2020

29. Privacy International, ‘Bluetooth tracking and COVID-19: A tech primer’ (31 March 2020) [Online] <https://privacyinternational.org/explainer/3536/bluetooth-tracking-and-covid-19-tech-primer> Accessed 09/06/2020

[1] M Burgess, ‘Everything you need to know about the NHS test, track and trace app’ (Wired, 11 June 2020) [online] https://www.wired.co.uk/article/nhs-covid-19-tracking-app-contact-tracingAccessed 14/06/2020

[2] Oral evidence from Matthew Gould to the Joint Committee on Human Rights, HC265 (4 May 2020) [Online] < https://committees.parliament.uk/oralevidence/333/html/> Accessed 12/06/2020

[3] Burgess (n 1)

[4] ICO, ‘COVID-19 Contact tracing: data protection expectations on app development’ (4 May 2020) [Online] https://ico.org.uk/media/for-organisations/documents/2617676/ico-contact-tracing-recommendations.pdf Accessed 13/06/2020

[5] Gould (n 2)

[6] I Levy, ‘The security behind the NHS contact tracing app’ (4 May 2020) [Online] https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app Accessed 13/06/2020

[7] L Kelion, ‘Coronavirus: Ministers consider NHS contact-tracing app rethink’ (BBC, 11 June 2020) [Online] <https://www.bbc.co.uk/news/technology-52995881 Accessed 12/06/2020> Accessed 13/06/2020

[8] J Vincent, ‘Without Apple and Google, the UK’s contact-tracing app is in trouble’ (The Verge, 5 May 2020) [online] <https://www.theverge.com/2020/5/5/21248288/uk-covid-19-contact-tracing-app-bluetooth-restrictions-apple-google Accessed 12/06/2020 Accessed 10/06/2020> Accessed 13/06/2020

[9] Vincent (n 8)

[10] L Kelion, ‘NHS rejects Apple-Google coronavirus app plan’ (BBC, 27 April 2020) [Online] https://www.bbc.co.uk/news/technology-52441428 Accessed 09/06/2020

[11] Vincent (n 8)

[12] L Kelion, ‘UK virus-tracing app switches to Apple-Google model (BBC, 18 June 2020) [Online] <https://www.bbc.co.uk/news/technology-53095336> Accessed 24/06/2020

[13] Privacy International, ‘Bluetooth tracking and COVID-19: A tech primer’ (31 March 2020) [Online] https://privacyinternational.org/explainer/3536/bluetooth-tracking-and-covid-19-tech-primerAccessed 09/06/2020

[14] Privacy International (n 13)

[15] Privacy International (n 13)

[16] M Veale, ‘Analysis of the NHSX Contact Tracing App ‘isle of Wight’ Data Protection Impact Assessment’ (9 May 2020) <osf.io/preprints/lawarxiv/6fvgh> Accessed 12/06/2020

[17] Veale (n 16)

[18] ICO (n 4)

[19] C Hall, ‘No Data Protection Impact Assessment Conducted on Coronavirus Test and Trace’ (11 June 2020) [Online] https://www.vwv.co.uk/news-and-events/blog/information-law-brief/coronavirus-test-trace-data-protection Accessed 13/06/2020

[20] Hall (n 15)

[21] NHS, ‘Data Protection Impact Assessment NHS COVID-19 App PILOT LIVE RELEASE Isle of Wight’ (6 May 2020) [Online] https://faq.covid19.nhs.uk/DPIA COVID-19 App PILOT LIVE RELEASE Isle of Wight Version 1.0.pdf Accessed 13/06/2020

[22] Veale (n 16)

[23] ICO, ‘Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app’ (7 May 2020) [Online] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/05/dpia-for-the-nhsx-s-trial-of-contact-tracing-app/ Accessed 12/06/2020

[24] Oral evidence from Elizabeth Denham to the Joint Committee on Human Rights, HC265 (4 May 2020) [Online] https://committees.parliament.uk/oralevidence/333/html/ Accessed 12/06/2020

[25] Letter from Rt Hon Harriet Harman MP to Rt Hon Matt Hancock MP, (29 May 2020) [Online] https://committees.parliament.uk/publications/1284/documents/11453/default/ Accessed 13/06/2020

[26] Letter from Rt Hon Jacob Rees-Mogg to Rt Hon Harriet Harman, (28 May 2020) [Online] https://committees.parliament.uk/publications/1283/documents/11444/default/ Accessed 13/06/2020

[27] L Edwards and others, ‘The Coronavirus (safeguards) Bill 2020: Proposed Protections for Digital Interventions and in Relation to Immunity Certificates’ (13 April 2020) <osf.io/preprints/lawarxiv/yc6xu> Accessed 13/06/2020

[28] NHS, ‘NHS Test and Trace Privacy Information’ (9 June 2020) https://contact-tracing.phe.gov.uk/help/privacy-notice Accessed 14/06/2020

[29] Gould (n 2)

[30] Veale (n 16)

[31] Veale (n 16)

[32] J Bay and others, ‘BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders’ (9 April 2020) [Online] https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf Accessed 13/06/2020

[33] A Hern, ‘Google DeepMind 1.6m patient record deal ‘inappropriate’’ (The Guardian, 16 May 2017) [Online] https://www.theguardian.com/technology/2017/may/16/google-deepmind-16m-patient-record-deal-inappropriate-data-guardian-royal-free Accessed 14 June 2020

[34] O Bowcott, ‘Home Office scraps scheme that used NHS data to track migrants’ (The Guardian, 12 November 2018) [Online] <https://www.theguardian.com/society/2018/nov/12/home-office-scraps-scheme-that-used-nhs-data-to-track-migrants Accessed 14/06/2020> Accessed 14/06/2020

[35] J Wareham, ‘U.K. Contact Tracing App Could Endanger LGBT Human Rights, Minorities Warned’ (Forbes, 24 May 2020) [Online] <https://www.forbes.com/sites/jamiewareham/2020/05/21/uk-nhs-contact-tracing-app-could-endanger-human-rights-lgbt-and-minorities-warned Accessed 14/06/2020> Accessed 14/06/2020

[36] Oral evidence from Michael Veale to the Joint Committee on Human Rights, HC265 (4 May 2020) [Online] https://committees.parliament.uk/oralevidence/333/html/ Accessed 12/06/2020

[37] Ada Lovelace Institute, ‘Exit through the App Store? Should the UK Government use technology to transition from the COVID-19 global public health crisis’ (20 April 2020) [Online] https://www.adalovelaceinstitute.org/exit-through-the-app-store-how-the-uk-government-should-use-technology-to-transition-from-the-covid-19-global-public-health-crisis/ Accessed 13/06/2020

[38] Privacy International (n 14)

[39] M Field, ‘Contact-tracing app will not be ready until winter, admits health minister’ (The Telegraph, 17 June 2020) [Online] <https://www.telegraph.co.uk/technology/2020/06/17/contact-tracing-app-will-not-ready-winter-admits-health-minister/> Accessed 25 June 2020

[40] Kelion (n 12)