The Ada Lovelace Institute has issued a paper which considers what milestones any UK contract tracing app would have to meet before roll-out to ensure the app is safe, fair and equitable. The paper builds on the rapid evidence review Exit through the App Store? and articulates the technical and practical limitations that would have to be overcome, and the policy and scrutiny measures that would have to be in place, before a contact tracing app is rolled out in the UK. It argues that if the government launches an ineffective app or untrustworthy app, it will not be adopted, it is unlikely to be effective and could even be actively harmful to people’s health and trust.
The Institute says that to date the government has not answered the concerns it raised in its initial report, nor is it changing its recommendation that there is not yet the evidence and justification for an imminent national roll out. It currently sees no evidence for a scenario where the app will be able to trace contact to a high degree of accuracy and command the high levels of use and adherence needed for it to be a central pillar in the government’s public health strategy, to be relied on to keep people safe.
A key theme running through all the Institute’s suggested steps is the need for greater transparency and honesty with the public about the ethical concerns and technical limitations.
The first suggested steps are that the government, with support of Parliament, must build the legislative and policy structures to underpin and surround the app, including: publicly setting success criteria and outcomes; and articulating the broader strategy and policy framework.
It must also implement primary legislation and oversight mechanisms. Legal and technical sunset clauses must be built into the design of new powers and technologies. The government must advance primary legislation regulating the processing of data by both public and private sector actors in the use of technology to transition from the crisis. It must further encourage privacy-by-design in technical implementations and must choose privacy-preserving protocols to underscore technical measures.
Legislation must limit scope creep, by setting out precise purposes for data processing, who has access to data and for what purpose; require the deletion of data after specified periods, with exemptions from deletion of anonymised data for use in research; and prevent discrimination.
Legislation must also prohibit the development of third-party contact tracing apps and uses of contact tracing data. The government must also ensure that the ICO has the appropriate remit and capacity to oversee data use, and to require the performance, publication and approval by the ICO of a Data Protection Impact Assessment.
In addition the efficacy of the app must be demonstrated and the government must be transparent about the technical measures under consideration in advance of their deployment. The paper highlights that the risk is not just that the public lose faith in this app to support the health crisis, it could undermine trust in public health initiatives and government strategy more broadly.