Skip to main content
Amnesty International UK
Log in

7 principles that should be guiding roll-out of any COVID-19 contacting-tracing app

'Our privacy must not become another casualty of the crisis'

The UK Government plans to introduce a COVID-19 tracing app as part of its plan to combat the spread of coronavirus. As one part of a comprehensive public health approach, having an app to help with tracing could be positive.

Since 5 May, the particular ‘NHSX’ app the government has chosen has been offered to people in the Isle of Wight, as a kind of first-run. However, there remain practical, legal and ethical questions and concerns that need to be answered as part of the decision making on next steps.

The app that the government has chosen uses a centralised model, meaning – roughly –that the data isn’t just kept on your phone, but collected centrally by the government. Unlike most other European countries – such as Germany, Italy and Ireland – who have chosen a more privacy-protecting decentralised model.

We all want to do everything we can to beat coronavirus, but our privacy must not become another casualty of the crisis – the government needs to ensure decisions are guided by the important tests that human rights law sets out for any interference with those rights: lawfulness, necessity and proportionality.

We have written to the government raising our concerns, and setting out seven principles that should guide their choice of app and how it is developed and rolled-out nationally. We’re encouraging the UK government to address these principles and how its app will meet them, openly:

1. Consent and transparency

  • Any individual decision to download and use it must be entirely voluntary.
  • The full source code underlying the app should be available for scrutiny.

2. Limited purpose

  • All data collection must be restricted to controlling the spread of COVID-19 and it should not be used for any other purpose - including law-enforcement, national security or immigration control.
  • It must also not be made available to any third party or for commercial use.

3. Anonymity

  • There must be transparent scientific proof that it is impossible for collected data to be de-anonymised, including by combining it with other data sets.

4. Privacy and data protection by design

  • The app must be in line with GDPR and the UK’s data protection laws, with privacy at the forefront of its design.
  • Data collected must be the minimum amount necessary, and securely stored.

5. Independent expert oversight

  • The app and collection and use of data must be independently overseen by a regulator empowered to enforce its decisions.

6. Time limits

  • The data and app must be subject to mandatory time-bound deletion and/or deleted as soon as is reasonable after serving their declared purpose.

7. Equality and non-discrimination

  • The collection and use of data through the app must not impact disproportionately on any individual as a result of their particular status, such as socioeconomic or immigration position, age or ethnic origins.
  • The benefits of the app must be accessible to everyone, no matter what phone or smartphone they have.

We’re asking the UK Government (via a letter to Health Secretary Matt Hancock MP) to set out how the current version of the contact-tracing app meets these principles, and put them at the heart of its decision making.

You can find more information on our work on COVID-19 and human rights here.