The England and Wales contact tracing app will soon ask users to share details of where they have checked in, if they test positive for the coronavirus.
The update to the NHS Covid-19 app will roll out ahead of the reopening of stores in both countries on April 12, as well as open-air hospitality in England.
Authorities will be able to use this information to tell other visitors if they need to be tested for the virus.
But the system was designed to protect the anonymity of users.
“The app was designed with user privacy in mind, so it tracks the virus, not people, and uses the latest data security technologies to protect privacy,” a ministry spokesperson said. of Health and Social Affairs.
Until now, the QR barcode scanning feature was only used if the local authorities themselves flagged a location as a viral hotspot by other means.
This would then trigger a process by which each phone could verify if it had been in one of the affected locations on the affected dates, and send an alert to the owner.
But the facility has rarely been used, despite more than 106 million records.
In March, Sky News reported that “capacity issues at the local level” were responsible for this, with overworked health protection teams not knowing what they were supposed to do.
The decision to automate the system through users’ own actions could help address this issue.
People may have concerns about disclosing where and when they have been.
To address this issue, the Department of Health said a “privacy” approach was being taken.
The app will only share location history data if users opt-in.
And rather than disclosing names or other personal information, the software will simply notify the system when an infected user has visited the premises.
Depending on the thresholds set – for example, the number of infected users who visited the same location on the same day – then other users of the app can be asked to monitor their symptoms or to take a test immediately, whether they feel sick or not.
The registration tool is not intended to be used on its own to force other people to self-isolate.
“People shouldn’t be worried about this, as they shouldn’t be asked about their whereabouts, but rather the whereabouts of an unidentified person who tested positive with Covid,” commented Professor Alan Woodward , a security expert from the University of Surrey.
Further details will be revealed in an upcoming revision of the application’s Data Protection Impact Assessment (DPIA) document.
Privacy advocates have, however, raised concerns over a parallel system in place in Scotland.
Users are encouraged to use a new application – Check In Scotland – to register with the sites.
It is separate from the Protect Scotland contact tracing app and therefore is not bound by the same privacy safeguards demanded by Google and Apple, which provide some of the technology involved.
Check In Scotland uploads each user’s name, email address and mobile phone number to a centralized “secure” database with the time of their visit to each location.
The justification given is twofold:
“a real concern” that users can delete their logs of places visited before a warning is received
to allow Test and Protect employees to come into direct contact with people deemed at risk of contagion by sharing a place with an infected person
Users are advised that the data should only be used to try to combat the virus.
But the AIPD recognizes that the information could, in theory, be disclosed for other purposes if required by a court order or ministerial directive.
Some experts fear that this leaves the door open to “misuse”.
“The concern is that this infrastructure, once in place, is unlikely to disappear because the coronavirus will be with us for a long time,” said Professor Michael Veale, professor of digital rights at University College London.