Contact tracing apps: one way out of lockdown


Contact tracing apps have been making headlines around the world and are now set to form part of the UK Government's strategy for exiting from lockdown and unlocking the economy until a vaccine or effective treatment for those infected with COVID-19 is found.

But what are these apps and how might they affect individuals and businesses? Whilst there are privacy concerns with tracing technology, with the correct procedures and policies in place these are by no means insurmountable. However, the potential for conflict between privacy concerns and public health concerns is likely to fuel debate in this area for some time to come.

What are contact tracing apps?

Contact tracing apps work by notifying those who have been in close proximity with an individual diagnosed with COVID-19, thereby helping to interrupt infection chains. Whilst each app will be slightly different, broadly speaking app users will exchange anonymous tokens with other app users in their proximity, typically via Bluetooth. Should an infected person upload their diagnosis on their app, a message will be sent in-app to all users who had recently exchanged tokens with the infected user and are therefore deemed an infection risk themselves. Those who have been notified will, we understand, be encouraged to self-isolate and/or report for testing to check whether they have actually been infected.


In the UK, we understand that NHSX, the digital innovation wing of the NHS, is currently at an advanced stage of developing such an app and is running a trial in the Isle of Wight as we write. Subject to the trial going well, Government sources suggest that the app could be rolled out nationally in a few weeks. We expect this app to be the most popularly used tracing app in the UK, however, the public could equally take up any app developed by private companies. Either way, expect an aggressive Government marketing campaign in the coming days and weeks – experts suggest as many as 80% of smartphone users need to actively use the NHSX app (equating to around 56% of the general population) for it to have the best effect. Achieving such a high figure will be an incredible challenge for the Government, who will be mindful of efforts made by tracing app trailblazers such as Singapore, who released a national tracing app in late March, but have since struggled to lift take-up beyond 20% of the population. This may prompt the Government to call upon business to play a role in encouraging higher levels of take-up (see further below).

As far as we know, the NHSX app is the only serious developer in the UK at the moment but private companies and other public bodies may be in the process of developing such apps for deployment in the UK. We know for example that Netcompany, a Danish business employing 400 people in the UK, have developed an app which has been chosen by the Danish government for official roll out in Denmark. King's College London also released a symptom reporting app in March (which has already been downloaded by over 2 million in the UK), which they have used for their own clinical research purposes.

Contact tracing apps are just one type of app being considered in the global fight against COVID-19. Others include symptom tracking applications and those that produce digital immunity certificates (the latter theoretically granting those who have immunity to the virus certain privileges).

What personal data, if any, gets processed and where will any data be stored?

If the app processes personal data, compliance with the EU General Data Protection Regulation (GDPR) will need to be considered. Government ministers have said that little or no personal data in the ordinary sense of the meaning will be processed by the app (such as a user's name). However, under the GDPR personal data is defined broadly and can include data that identifies an individual by reference to a unique identifier (which is the case with the NHSX app where a unique "anonymous" token will be assigned to each user).

More conventional personal data that might be involved (whether at the app's launch or as seen in a later iteration) ranges from identity data such as the user's name, location data and health data. Note that health data is classified as "special category" personal data under the GDPR (i.e. more sensitive) and subject to stricter obligations. Any processing of personal data is likely to be justified on the grounds of consent of the app user or public health.

Whilst the final format and content of the app is still being tested, at a meeting of the UK Human Rights Committee on 4 May, Matthew Gould the CEO of NHSX explained that users will be required to enter the first half of their postcode onto the app. This will assist the Government in identifying particular virus hotspots and tracking infection rates. Perhaps more worryingly, he went on to say that the app will evolve during its lifecycle and that NHSX may request personal data such as age and gender details, with any such request grounded upon user consent.

If age, gender and the first part of a user's postcode are the only data collected, from a security perspective this is unlikely to result in being able to identify a user by name. However, this data would still be subject to the GDPR for the reasons set out above.

In April Google and Apple announced a joint initiative including the launch of an application programming interface which would enable app users on Google and Apple devices to communicate anonymised tokens from their respective apps via Bluetooth. This initiative envisages a decentralised storage of data – any personal data would be stored on the individual's device, and there would be no exchange of identifiable personal data between two devices. As noted by the ICO, as a general rule this approach is more in line with the GDPR data minimisation principle.


NHSX is reported to be involved in discussions with Google and Apple but at the time of writing, the indications from the Government are that the NHSX app will instead adopt a centralised approach, with a central server storing a user's matches and sending out positive notifications where relevant. UK health authorities would presumably run this central server, making them the data controller responsible for compliance with the GDPR. Most European governments are following Apple and Google's decentralised approach, with the UK joined only by France and Norway in developing an app with central data storage, although advocates insist this will allow UK health authorities to maximise the app's effectiveness. That said, some degree of cooperation from Google and Apple is likely to be important, at least from a technical perspective – for example, to ensure that the app can run in the background without imposing an excessive drain on smartphone batteries.

One of the reasons why NHSX favours a centralised approach is thought to be a desire to reduce the number of notifications which turn out to be "false positives" (e.g. because the level of contact was so minimal that it could not have resulted in transmission of the virus). This may be out of concern that too many false positives will undermine confidence in the app, potentially leading people to delete it from their smartphones. Other concerns about the decentralised approach are thought to relate to the greater potential for malicious use and the difficulty of using it to collect data centrally to monitor the spread of the virus across the country. However, the NHSX's centralised approach raises more issues under both human rights and data protection law, as set out in this legal opinion here from Matrix Chambers and the data rights agency AWO (which also outlines further concerns about proposed data sharing between the public and private sectors).

Guidance from the ICO and the EU

The guidance from the UK regulator, the ICO, and the EU is united in the view that data protection legislation should not be viewed as an inconvenience but rather as integral to the construction and maintenance of such apps. This position is understandable for many reasons, not least if defective security measures mean that the app is hacked resulting in app users receiving false notifications – in such circumstances, the app could be an obstacle to economic recovery and containment of the virus.


We expand on a few points from ICO guidance below:

  • Data minimisation: The app should collect the minimum amount of data required. For example, we can see no reason why a contact tracing app requires a person's name to be disclosed for the app to be effective. Further, as outlined by the European Data Protection Board, the processing of location data is not strictly necessary for contact tracing.

  • Privacy by design and by default: This means that data protection must be integrated into the processing activities of the relevant parties from the app's creation to the end of its lifecycle.

  • User control: The app should only be downloaded voluntarily, despite the clear repercussions for take-up. Further, a user should be free to turn off the data sharing functionality (for example, Bluetooth) and delete the app should they so wish.

  • Purpose limitation: Any personal data should be used exclusively for the purpose of contact tracing and this should be communicated in a clear statement of purpose to users. The app should be discontinued once the pandemic has ceased and any residual personal data howsoever stored should be destroyed permanently.

  • Security: The app should use pseudonymous identifiers generated, where possible, on the device and not on any Government server. The app should also use cryptographic techniques to secure the data and ensure security measures are hard-wired into the design of the app.


Looking across to Europe, EU bodies have recently published a Roadmap towards lifting containment measures which envisages the vital role that apps may play in the immediate future as well as a specific "Toolbox" providing guidance to EU Member States in the design of contact tracing apps. The Toolbox, in particular, largely reflects the guidance issued by the ICO and outlines that fourteen Member States have either launched or intend to launch such apps.

How might businesses make use of contact tracing apps and what are the potential issues to consider?

Businesses may wish to make use of contact tracing apps as a way to help provide an additional assurance that those entering premises – whether employees, customers or other visitors – do not appear to have been infected. One way of doing this would be to ask individuals wishing to enter whether they have the app installed on their smartphone and if so, what their status is (i.e. that they have not received a possible infection alert). Indeed, given the need for very high take-up of the app, it is possible that Government may actively encourage businesses to take this kind of approach – because if people are regularly being asked about the app on entry to their workplace or when they do their shopping, they may be more likely to download it.

The extent of an employer's responsibility for privacy in relation to such apps will depend to a certain degree on whether (i) the employer is simply relying on its employees to pass on relevant information to it, generated from Government sponsored contact tracing apps to the extent that employees have loaded these onto their smartphones or (ii) the employer opts to take matters into its own hands by procuring/imposing its own technology solution via an app.


Opting to buy in/use its own technology as opposed to Government sponsored apps, will most likely mean that the employer has greater data protection responsibilities in respect of any data which is generated by the app. This is because it will be the data controller in respect of all data generated by the app (as opposed to simply the output of any information it asks for from employees who are using Government sponsored apps). The employer will have more to tell its employees in terms of ensuring transparency, and more data that it will need to keep safe; and it is likely to have to put data processing agreements in place with the providers of such apps if they are holding or have access to data collected via the app on behalf of the employer (with this will come due diligence obligations to ensure that data is kept safe and secure by app providers).

This analysis also applies in respect of other tools that tech and other companies are racing to build, such as employee health screening devices. These tools are designed to give businesses more control over potential outbreaks when they do open up their offices and facilities, and with it greater confidence to bring their employees physically together again.

Nevertheless, there are similarities between reliance on an employee using the Government backed app and an employer using technology they have developed or procured on their own. In both cases: (i) the processing of data will need to have a lawful basis, (ii) the employer should only process the data it needs, (iii) privacy policies will need to be updated so that the employer is transparent about the data it is collecting and what the data will be used for and (iv) data will have to be kept secure and only for so long as necessary. Similar measures will need to be adopted as those put in place to process other COVID-19 related personal data (for further details of such measures, please see our earlier briefing here).

Employers will also have to consider the impact which contact tracing may have on health and safety obligations and update employment policies accordingly. For example, they may well have to prevent employees who are traced by an app as having been in contact with an infected person from entering the workplace, even when an employee is otherwise seemingly healthy.

What about customers and other visitors to premises?

Whilst these apps are most likely to impact organisations in the employment realm, there could be broader consequences, with the possibility of consumer facing businesses particularly in retail, leisure and hospitality sectors having to consider the collection of data from either the NHSX app or any other app with a recognised status in the market in respect of visitors/customers to their premises. For example, retail outlets may want to see whether a customer has a 'green light' confirming they have not been exposed to infection on an app before permitting entry. Similarly, when they are permitted to re-open, restaurants and gyms may want to take similar information when booking diners in or before readmitting gym members.


Whether data protection rules are engaged will depend very much on whether any personal data has to be processed by the business in the first place. For instance, the mere checking for a 'green light' by a retail outlet without taking the identity of visitors and customers is unlikely to result in the processing of personal data, thereby side-stepping data protection concerns. However, where a more involved process is put in place, such as recording health data against a guest or member's name (for example as part of a restaurant booking process or linked to a gym membership card), data protection compliance would have to be considered and wired into the process. Either way, businesses will have to think carefully about whether it is proportionate to ask for this information, from a reputational perspective as well as for legal reasons. In particular, they will need to think carefully about how strictly they apply any such policy and who they are prepared to make exceptions for (for instance, statistically smartphone ownership declines among older generations).

How much reliance should the Government and business place on contact tracing apps?

As noted above, any Government sponsored contact tracing app will need very high levels of take-up if it is to be fully effective and will also need to address a number of legal concerns (although in our view, the latter is not insurmountable). For these reasons and those discussed in this briefing, it would seem inadvisable for either Government or business to focus too heavily on technology-based solutions of this kind.

Other measures are likely to be equally if not more important in containing the virus, such as adhering to guidance about hand hygiene and social distancing and manual contact tracing (where people known to have been infected are contacted by public health officials and asked who they have been in contact with recently). Indeed, in respect of the latter, we note that the Government is in the process of appointing 18,000 manual contact tracers to assist with the contact tracing initiative which will partly offset some of the shortcomings of the app.

In addition, the Government ideally needs to ensure that adequate facilities are available so that someone who receives a notification through the app of possible contact with an infected person can be tested promptly to find out if they really do have the virus. A failure to provide this capacity may create a perverse incentive for individuals not to download the app (or not to carry their smartphones with them), out of concern that it may produce a significant number of "false positives", leading individuals to self-isolate when they do not actually need to because the person they have been in contact with does not in fact have the virus.

This is a rapidly developing area – since our earlier Firm briefing we know a great deal more. When the NHSX app is formally launched in the UK, watch out for supporting guidance and perhaps primary legislation from the UK Government about how individuals and businesses are to use such apps, together with guidance from the ICO.

Key Contacts

Read Vivien Halstead Profile
Vivien Halstead
Read Dan Reavill Profile
Dan Reavill
Read Jonathan Rush Profile
Jonathan Rush

covid-19 hub

The rapid global spread of the Covid-19 virus has resulted in significant market volatility and is placing an immense strain on the business community. Get guidance and practical advice on key operational and legal issues.

covid-19 hub
Back To Top