If the app processes personal data, compliance with the EU General Data Protection Regulation (GDPR) will need to be considered. Government ministers have said that little or no personal data in the ordinary sense of the meaning will be processed by the app (such as a user's name). However, under the GDPR personal data is defined broadly and can include data that identifies an individual by reference to a unique identifier (which is the case with the NHSX app where a unique "anonymous" token will be assigned to each user).
More conventional personal data that might be involved (whether at the app's launch or as seen in a later iteration) ranges from identity data such as the user's name, location data and health data. Note that health data is classified as "special category" personal data under the GDPR (i.e. more sensitive) and subject to stricter obligations. Any processing of personal data is likely to be justified on the grounds of consent of the app user or public health.
Whilst the final format and content of the app is still being tested, at a meeting of the UK Human Rights Committee on 4 May, Matthew Gould the CEO of NHSX explained that users will be required to enter the first half of their postcode onto the app. This will assist the Government in identifying particular virus hotspots and tracking infection rates. Perhaps more worryingly, he went on to say that the app will evolve during its lifecycle and that NHSX may request personal data such as age and gender details, with any such request grounded upon user consent.
If age, gender and the first part of a user's postcode are the only data collected, from a security perspective this is unlikely to result in being able to identify a user by name. However, this data would still be subject to the GDPR for the reasons set out above.
In April Google and Apple announced a joint initiative including the launch of an application programming interface which would enable app users on Google and Apple devices to communicate anonymised tokens from their respective apps via Bluetooth. This initiative envisages a decentralised storage of data – any personal data would be stored on the individual's device, and there would be no exchange of identifiable personal data between two devices. As noted by the ICO, as a general rule this approach is more in line with the GDPR data minimisation principle.