Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates

England

The UK has been one of the hardest hit countries in Europe in both numbers of deaths and cases of infection from COVID-19. The use and sharing of data is regulated by the Data Protection Act, which implements the European Union’s General Data Protection Regulation. England is developing an app that will operate via Bluetooth and use a centralized system to alert individuals who have been in close proximity to a user who later reports symptoms of COVID-19. England has also developed a Test and Trace Program, which involves a significant number of people to track and trace the contacts of people who report symptoms of COVID-19 either online, through the app, or via the telephone. There is no new legislation to introduce the app, the use of which is entirely voluntary. While the government has faced criticism for not introducing legislation to underpin the app, it claims that new legislation is not necessary as the use of the app is entirely voluntary and that data is protected under the Data Protection Act 2018 and the Human Rights Act 1998.

I. Introduction

The UK has been one of the most severely hit countries in Europe from COVID-19 in terms of both infections and deaths. As of May 22, 2020, 254,195 people in the UK had tested positive for COVID-19 and there had been 36,393 deaths confirmed with COVID-19 positive test results.[1]  

A significant percentage of the UK’s population has cell phones, with a study from Deloitte reporting that 88% of people in the UK own a smartphone.[2] With the high number of smartphones in use across the UK, an app to help automate the process to trace the contacts of individuals with symptoms of COVID-19 could help to reduce the spread of the disease, but this will only work if a significant number of people who have smartphones install the app. A poll from the Observer reported that 52% of people would download an app that enables contact tracing to be conducted automatically via their cell phones[3] while another poll indicated that 65% of people are willing to download such an app.[4]

While aspects of this report touch upon the four countries of the UK¾England, Wales, Scotland, and Northern Ireland¾the electronic measures taken by England to prevent the spread of COVID-19 will be the main focus.

The team responsible for the contact tracing app currently under development in England has stated that 60% of the population needs to download the app in order for it to be effective, although even a 50% uptake will help reduce infections and prevent the health care system from being overwhelmed.[5] As a point of reference, approximately 67% of cell phone users have downloaded WhatsApp.[6] The models estimating required participation exclude persons over 70 years of age, because they have lower smartphone usage and it is assumed they will typically follow the government’s advice to minimize contact with other people.[7]

II. Legal Framework

A. Privacy and Data Protection

The UK incorporated the European Union’s General Data Protection Regulation (GDPR) into its national law through the Data Protection Act 2018 (the 2018 Act).[8] The 2018 Act contains provisions relating to general data processing, and the processing of data by law enforcement and the intelligence services. The 2018 Act also provides for regulatory oversight and enforcement mechanisms to ensure it is implemented properly. It regulates how personal information may be processed, “requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis.”[9] The 2018 Act also requires that any data collected should be limited in scope, collected only as necessary for the  reasons it is processed, accurate, and kept up to date. Any personal data must be stored in a manner that enables the identification of the data subject and held for no longer than necessary. Personal data must be processed in a way that ensures the security of the data and protects against unauthorized processing, accidental loss, destruction, or damage. The 2018 Act places a duty on the data controller to ensure the principles of the Act are complied with and demonstrate how this compliance is achieved.[10]

Individuals have a number of rights under the 2018 Act, including the right to obtain information about how their personal data is processed along with the right to have any inaccurate personal data corrected.[11] Individuals also have the right to have personal data held on them erased in certain circumstances, including if the data held is no longer necessary for the purposes that it was originally collected, if the individual withdraws consent, or if the data was processed unlawfully.[12]

Article 6(1)(d) of the GDPR provides that data may be lawfully processed for public health purposes if it is necessary:

  • to protect the vital interests of the data subject or another natural purpose;
  • for the performance of a task carried out in the public interest; and
  • for reasons of public interest in the area of public health.[13]

The 2018 Act further requires that any such processing must be necessary to perform a function conferred on a person by a law, with the Health Protection (Coronavirus) Regulations 2020 providing an additional legal basis for processing data relating to COVID-19.[14] For health data, such processing must also be “necessary for reasons of substantial public interest.”[15]

B. Location Tracking

The interpretation of “identifiable living individuals” includes those who can be identified using location data; thus, location data is considered to be personal data and the protections of the 2018 Act in relation to processing, storing, using, and sharing such data apply.[16]

The Investigatory Powers Act 2016 (the 2016 Act) provides the legal framework for the investigatory powers of law enforcement, public authorities, and the security and intelligence agencies of the UK to obtain communications and communications data. The 2016 Act includes location data under the term “secondary data”[17] and allows law enforcement to intercept, acquire, and retain these types of data in specified circumstances, such as in the interests of public safety or to protect public health.[18]

The 2016 Act also provides the Secretary of State with the ability to require telecommunications operators to retain internet connection records, which enable “law enforcement to identify the communications service to which a device has connected online.”[19]

III. Electronic Measures to Fight COVID-19 Spread

A. Contract Tracing App

The government has noted that the potential number of asymptomatic carriers of COVID-19 “indicate[s] that the spread of COVID-19 is too fast to be contained by manual contact tracing alone, but containment would be possible using a more efficient method involving a mobile app.”[20] In April 2020, the government announced that the National Health Service User Experience[21] (NHSX), the technology and research arm of NHS England and the Department of Health and Social Care, and researchers at Oxford University had worked together to develop an app that works on mobile devices to help public health authorities to manage COVID-19.[22] It is currently testing the app and plans to release it in England in the beginning of June 2020.[23] The aim of the app is to

. . . automate key parts of public health contact tracing by offering a proximity cascade system that can help slow transmission of the COVID-19 virus. This will save lives, reduce pressure on the NHS, help return people to normal life and mitigate damage to the economy.

The app also aims to preserve individual and group privacy, be tolerant to various malicious users and minimise the risks of pseudonymous subgroup reidentification. Importantly, it is driven by and informs expert epidemiological modelling, which in turn drives public policy.[24]

In order for the app to be the most effective, the government has noted that it needs to be paired with manual contact tracing and widespread testing to ensure that the data is accurate.[25]

The app was designed not to interfere with other apps or drain phone batteries, and to protect users’ privacy and device security. The app does not work on some older-model cell phones, such as those that do not support Bluetooth Low Energy (BLE), leading to concerns that vulnerable groups may be excluded from using the app.[26] The app is also reportedly incompatible with the operating system of newer Huawei phones.[27] The source code of the app has been made available to the public.[28]

1. Operation of the App

Once installed, the app creates an anonymous, fixed identifier for the user’s cell phone.[29] The app generates anonymous tokens and records when two people who have installed the app on their mobile devices are within a certain distance from one another for longer than a specified period of time.[30] The app does not use location data, although it does prompt users to provide the first half of their postcode (zip code) to enable the NHS to use the data to see where hotspots are emerging.[31]

The government has decided to permit users to self-report symptoms as “self-diagnosis can reduce by days, the time it takes a potentially infectious person to isolate. This is critical to the management of the spread of the disease, under the assumptions in the UK’s model.”[32] The Parliamentary Office of Science and Technology (POST) has noted that while permitting such self-reporting can reduce the exposure of others to infection while test results are being processed, it could also lead to a number of false positive alerts and that fast testing will be key to ensuring public confidence in the advice provided by the app.[33]

The NHS has reiterated this, stating that the reason for allowing individuals to self-report symptoms on the app is because

[t]he epidemiological models tell us that any delay in isolating people who are showing symptoms has a real effect on the spread of the virus. The less delay there is, the better the NHS can manage the spread. No testing regime can give immediate results, so the public health professionals have taken the decision to ask people to declare symptoms that are likely to be coronavirus.[34]

The app asks self-reporting users a series of structured questions to determine if they have symptoms of COVID-19.[35] The app then “runs [any contact events with other users of the app] through a sophisticated risk model to work out the encounters that are high risk from a virus transmission point of view.”[36] This appears to be based on users having prolonged close contact with one another.[37] The data is shared to a centralized health service database[38] and all users who were in “significant contact” within the past 28 days[39] of the user reporting symptoms are alerted. The app sends recommendations to these users that vary “depend[ing] on the evolving context and approach.”[40] The POST has stated that

[c]riteria used to determine whether a user is at risk are based on an understanding of how different levels of exposure (e.g. closeness and duration of contact) affect risk of infection. The app could also make recommendations to manage this risk, such as checking symptoms, reporting to a test centre or self-isolating.[41]

The identity of the person reporting symptoms is not revealed to other app users; the notification simply informs them that they have been in proximity to a person with symptoms of COVID-19[42] and to take certain measures.

In cases where the person reporting symptoms later receives a negative test, contacts are informed through the app that it was a false positive. If the user has a positive test result, the contacts are asked to self-isolate for 14 days and to get tested themselves. If the user reporting symptoms does not get a test and not many of his or her contacts report symptoms, it is considered that this “statistically suggests” the user was not positive and their contacts are informed they do not need to continue to self isolate. If the opposite is true, and a number of the user’s contacts report symptoms, it is considered that the person was probably infected and that their contacts should consider self-isolation.[43]

There are reports that the app is unable to work properly if another app is being actively used, as it will only start broadcasting its identifier if an identifier is broadcast from another phone. The result of this is that “two iPhone users [who] sat next to each other on a train, both playing the game Candy Crush, would fail to register as a contact, unless a third phone was nearby with the app open.”[44]

2. Centralized Model

The app uses a centralized model, which means the matching process occurs on a centralized computer server.[45] A decentralized model, which was proposed by Apple and Google, would have limited the data exchange to individual users’ cell phones and was rejected by the NHSX, which stated the centralized system will provide it with more insight into how the disease spreads and improve the efficiency of the app.[46]

3. Voluntary Uptake

Installation and use of the app is entirely voluntary, although a document from the body established to consider the ethics of the app has noted that it is possible the app could be a requirement for individuals returning to work or using public transportation.[47] The app also allows people to voluntarily opt in to report their symptoms and when they started feeling unwell.[48]

4. Trial

The NHS’s contact tracing app was tested on the Isle of Wight, where the island’s 80,000 households were asked to download the app beginning May 5, 2020. The Isle of Wight was selected as the place for trial due to its elderly population and low numbers of cell phone users. The BBC reported that if the trial “is successful despite these challenges then that will show it can work across the UK.”[49]

The app was downloaded 55,000 times within the first week of being launched, although, as the device does not track location, some downloads may have occurred outside the Isle of Wight.[50] By May 14, 2020, around half of the Island’s population had reportedly downloaded the app.[51] Any person who voluntarily reports their symptoms during this trial will be brought a test for COVID-19 within 24 hours, according to the Telegraph.[52]

The test revealed that the app affected the battery power of certain iPhones.[53] Concerns have also been raised that delays of up to a week for people to receive test results may undermine the effectiveness of the app. The government has noted that using Bluetooth has both limitations and risks. Bluetooth may miss connections if phones are in bags or pockets that weaken the signal, which in turn can make the distance measurements unreliable.[54] Keeping Bluetooth turned on can also pose a security risk. The phone’s unique identifier could be collected by third parties in the area for malicious purposes and it may render phones vulnerable to hacking and malicious software uploading.[55]

B. Contact Tracing for People Without the App

The app is only one part of the UK’s approach to tackling COVID-19. The government has also established the COVID-19 Test and Trace Taskforce,[56] which is responsible for ensuring that people who develop symptoms of COVID-19 have fast access to a test to determine if they have the virus. The Test and Trace Taskforce will also conduct manual contact tracing, which was used at the start of the outbreak before the cases of COVID-19 became so widespread,[57] to alert people who have had close contact with the person. The aim of this is to

  • identify who is infected more precisely, to reduce the number of people who are self-isolating with symptoms but who are not actually infected, and to ensure those who are infected continue to take stringent self-isolation measures; and
  • ensure those who have been in recent close contact with an infected person receive rapid advice and, if necessary, self-isolate, quickly breaking the transmission chain.[58]

The government has noted that it is necessary for testing and contact tracing to 

. . . operate quickly for maximum effect, because relative to other diseases (for example SARS) a proportion of COVID-19 sufferers almost certainly become infectious to others before symptoms are displayed; and almost all sufferers are maximally infectious to others as soon as their symptoms begin even if these are initially mild.[59] 

The government is working to ensure that all components of contact tracing are 

. . . fully joined up to make the system as seamless as possible for members of the public and to ensure the app complements more traditional measures. This coordinated approach will help protect vulnerable groups, including those who cannot or do not want to use digital tools.[60]

People with symptoms who see their doctor or receive a positive test result for COVID-19 are being referred by their doctor to the contact tracing team, and individuals will also be able to report their symptoms and order testing for COVID-19 over the phone or online.[61] The contact tracing team will then contact the person by phone or email to get a list of people who they have been in close contact with and places they have visited over the days prior to displaying symptoms, or receiving the positive test result.[62] The contact tracer will then call or email individuals on the list and advise them to self-isolate for seven days and call the contact tracing team if they display any symptoms, at which point their contacts will be tracked and asked to self-isolate.[63] The design allows the notification that people self-isolate based on the self-reported symptoms of other users to be reversed at a later date if the person later tests negative for COVID-19.[64]

The app and contact tracing requires a significant amount of human resources to operate effectively. The government aims to have 25,000 people to trace the contacts of people testing positive for COVID-19, with the aim being to track the contacts of 10,000 COVID-19 cases per day by June 1, 2020.[65]

The UK is also planning to use the Joint Biosecurity Centre to provide analysis and assessment of outbreaks of COVID-19 at the community level in a manner that enables a rapid intervention before the outbreak grows further.[66]

C. Compatibility of Measures with Privacy Rights

The government’s COVID-19 Recovery Strategy states that the measures being taken “will involve an unprecedented degree of data-collection . . . [and] the government will enact robust safety measures.”[67] These safety measures are not mentioned in the UK Government’s COVID-19 Recovery Strategy. Information collected by the app and through the Test and Trace program will be compiled together and “form part of a core national COVID-19 dataset.”[68]

The app does not collect any personally identifiable information about the user, nor is the location of the user collected. Users of the app are anonymous, and data collected by the app from users is used for “NHS care, management, evaluation and research.”[69] As use of the app is not mandatory, the NHSX notes that it may be deleted at any time by its user[70] and any record stored on the user’s phone is deleted after 28 days if the user, or his or her contacts, have made no reports of symptoms or contact with anyone with COVID-19.[71]

The centralized data collection point has also been designed to ensure security of the data held there, although this data is anonymous “and communicates out to other NHS systems through privacy preserving gateways, so data in the app data can’t be linked to other data the NHS holds.”[72] The government has noted that location data for each individual is unique and thus the individual may be able to be identified from their location data alone, even with the data being stored anonymously.[73]

Concerns have been raised the anonymized data in a centralized model “could be de-anonymized and used for surveillance purposes.”[74] The Ada Lovelace Institute and Parliament’s Joint Committee on Human Rights have recommended that primary legislation be introduced to “impose strict purpose and time limitations on technical solutions to support transition from the crisis”[75] and to “provide legal clarity about how data gathered by a contact-tracing app could be used, stored and disposed of . . . [to] increase confidence in the app, which would increase uptake and improve the app’s efficiency.”[76]  

The National Cyber Security Centre has stated that the use of anonymized data collected by the app being used to re-identify users is very low. It notes that in other circumstances the re-identification of anonymized users can sometimes occur where  information about an individual is available, such as their age, gender and location, and such data can only apply to a particular person. The National Cyber Security Centre says that that it does not collect enough information to enable such re-identification of users of the app to occur. It does note that users may have to be identified to the NHS, for example for them to take a test, but that “if that happens through the app, the system uses a privacy preserving gateway to be able to link a test to an app Installation ID anonymously”[77] and will not connect this information to the person’s identity or NHS record.

The Centre for Data Ethics and Innovation (CDEI) has noted issues arising as a result of the limited development time for the app:

The speed of development means that working transparently and enabling scrutiny is not straightforward. New decisions are taken every day, and sometimes changed a day later as new evidence or technical challenges emerge. Explaining this to the public without undermining confidence is hard--particularly at a time when people want to be reassured that their governments have the crisis in hand.[78]

While expressing concern over certain aspects of the app, the Joint Committee on Human Rights has noted that the benefit provided by the app may outweigh the risks to privacy:

The privacy concerns about the contact tracing app are certainly pertinent to human rights, especially Article 8, which protects the right to private and family life. However, Governments also have a responsibility to protect Article 2 ECHR, the right to life. If the app demonstrably protects lives and can help to ease the constraints of a lockdown, then this is a very relevant factor in assessing the proportionality of any interference with the right to a private life under article 8 ECHR.[79]

The Joint Committee on Human Rights, as noted above, has called for the government to introduce a legislative basis for the app to help create public trust and possible participation, along with requiring a formal human rights assessment to occur. It has noted that

this degree of formal rights balancing is lacking at present, being left to the NHSX team and its advisory bodies. In particular, Parliamentary scrutiny would allow for consideration as to whether the use of a centralised system, as opposed to a decentralised system, is reasonable and proportionate. The implementation and oversight of this app must, in our view, be urgently placed on a legislative footing; if rolled out without being governed by a clear legislative framework it risks not complying with the provisions of the ECHR.[80]

Despite calls for the app to be placed on a legislative basis, the government has maintained that this is not required because use of the app is voluntary and protections currently provided by the Data Protection Act and Human Rights Act are sufficient.[81]

D. Oversight Mechanisms

The NHS established an App Oversight Board and an independent Ethics Advisory Board[82] (EAB) to ensure that any questions about ethics, privacy, and security “are properly explored and addressed.”[83] The EAB provides advice, guidance, and recommendations on ethical issues raised by the use of the app to the App Oversight Board.[84]

The CDEI has noted that this decision making should be “guided by an ethical approach, identifying the trade-offs and endeavouring to reflect the reasonable expectations of citizens.”[85] It has worked with the EAB to establish core principles that will help to guide the development of the app. The EAB has tentatively published a “Public Trust Matrix” that details “key components of trustworthy data use and set[s] out the issues to be addressed within them.”[86]

Back to Top

Prepared by Clare Feikert-Ahalt
Senior Foreign Law Specialist
June 2020


[1] Cabinet Office Briefing Room, Reducing the Spread of COVID-19, https://perma.cc/GAC8-7GR5. The Office of National Statistics reported 41,020 deaths as of May 8 where COVID-19 was mentioned in the death certificate. Id.

[2] Deloitte, Global Mobile Consumer Survey: UK Cut (2019), https://perma.cc/B5V8-QJPG.

[3] Michael Savage, Only 50% of Britons Would Download NHS Tracing App – Poll, The Observer (London) (May 10, 2020), https://perma.cc/NH4F-5SE5.

[4] Contact Tracing Apps for COVID-19, UK Parliament POST (May 14, 2020), https://perma.cc/5P6A-GXMW.

[5] Savage, supra note 3.

[6] Eleanor Lawrie, Coronavirus: How Does Contact Tracing Work and Is My Data Safe?, BBC News (May 12, 2020), https://perma.cc/3HZE-GNGZ.

[7] Id.

[8] Data Protection Act 2018, c. 12, https://perma.cc/39Y3-H34A.

[9] Id. § 2(1)(a).

[10] Id. Pt. 2, ch. 2.

[11] Id. § 2(1)(b).

[12] Id. Pt. 3, ch. 3.

[13] General Data Protection Regulation (GDPR), art.6, 2016 O.J. (L 119) 1, https://perma.cc/7T85-89ZQ.

[14] Data Protection Act 2018, § 8(c) and the Health Protection (Coronavirus) Regulations 2020, SI 2020/129, https://perma.cc/5GJU-XYQ8.

[15] Data Protection Act 2018, sched. 1 Pt. 2(6).

[16] Id. § 3.

[17] Investigatory Powers Act 2016, c. 25, § 263(2), https://perma.cc/AML3-UT2J.

[18] Id. § 61(1).

[19] Judgment in Investigatory Powers Legal Challenge, Home Office (July 29, 2019), https://perma.cc/3JU8-5F5L.

[20] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[21] Jess Morley, All the Things We Like about the Centre for Data Ethics and Innovation’s New Strategy, Technology in the NHS (Mar. 21, 2019), https://perma.cc/83JW-65DC.

[22] Stop the Spread of Coronavirus, NHS, https://perma.cc/T7YQ-JVKC. See also Hasan Chowdhury, Matthew Field & Margi Murphy, NHS Contact Tracing App: How Does It Work and When Can You Download It?, Telegraph (London) (May 12, 2020), https://perma.cc/5Z9J-FMXS; Who We Are, NHSX, https://perma.cc/4EMD-JMXM; Matthew Gould, Digital Contact Tracing: Protecting the NHS and Saving Lives, NHSX (Apr. 24, 2020), https://perma.cc/B4C9-UG7R.

[23] Coronavirus: UK Track and Trace System in Place from June – PM, BBC News (May 20, 2020), https://perma.cc/Q97H-D5H4.

[24] Dr. Ian Levy, The Security Behind the NHS Contact Tracing App, National Cyber Security Centre (May 4, 2020), https://perma.cc/8MA4-8G8C.

[25] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[26] UK Government Covid Tracking App: What We Found, Privacy International (May 7, 2020), https://perma.cc/UU8V-YSKR

[27] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[28] Terence Eden, The Code Behind the NHS Covid-19 App, NHSX (May 8, 2020), https://perma.cc/9GQ7-SMVM.

[29] Chowdhury et al., supra note 22. 

[30] National Cyber Security Centre, High Level Privacy and Security Design for NHS COVID-19 Contact Tracing App (May 2020), https://perma.cc/RR3M-X5MH.

[31] Chowdhury et al., supra note 22.

[32] National Cyber Security Centre, supra note 30, at 3.

[33] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[34] Levy, supra note 24.

[35] Id.

[36] Id. 

[37] Id. at 4.

[38] Chowdhury et al., supra note 22.

[39] Id. 

[40] Gould, supra note 22. 

[41] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[42] Lawrie, supra note 6.

[43] Levy, supra note 24.

[44] Dan Sabbage, Alex Hern & Kate Proctor, UK Racing to Improve Contact-tracing App’s Privacy Safeguards, The Guardian (London) (May 5, 2020), https://perma.cc/4UAM-MHN4.

[45] Lawrie, supra note 6.

[46] Id.

[47] NHS COVID-19 App: Ethics Advisory Board Terms of Reference, NHSX, https://perma.cc/7FDY-J8ND.

[48] Chowdhury et al., supra note 22.

[49] Lawrie, supra note 6.

[50] Coronavirus: NHS Virus-Tracing App Downloaded 55,000 Times, BBC News (May 11, 2020), https://perma.cc/LLF4-Q2XC.  See also Savage, supra note 3.

[51] Lawrie, supra note 6.

[52] Chowdhury et al., supra note 22.

[53] Savage, supra note 3.

[54] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[55] Id.

[56] Press Release, Department of Health and Social Care, New Chair of Coronavirus ‘Test and Trace’ Programme Appointed (May 7, 2020), https://perma.cc/2B29-XX5K.

[57] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[58] HM Government, Our Plan to Rebuild: The UK Government’s COVID-19 Recovery Strategy, CP 239, at 38 (May 2020), https://perma.cc/6UDR-T8BY

[59] Id. 

[60] NHS COVID-19 App, NHSX, https://perma.cc/4P9R-MA52.

[61] Lawrie, supra note 6.

[62] Nick Phin, Coronavirus (COVID-19) Expert Interview: What Is Contact Tracing?, Public Health England (Feb. 13, 2020), https://perma.cc/UUH8-5FRH; Press Release, Department of Health and Social Care, Coronavirus Test, Track and Trace Plan Launched on Isle of Wight (May 4, 2020), https://perma.cc/GE29-AUG8.   

[63] Press Release, supra note 62.     

[64] Levy, supra note 24.

[65] Coronavirus: UK Track and Trace System in Place from June – PM, BBC News, supra note 28.

[66] HM Government, Our Plan to Rebuild, supra note 58, at 37.

[67] Id. at 39.

[68] Id. 

[69] NHS COVID-19 App, NHSX, supra note 60.

[70] Id.

[71] Levy, supra note 24.

[72] Id.

[73] Contact Tracing Apps for COVID-19, UK Parliament POST, supra note 4.

[74] Isobel Asher Hamilton, 170 Cybersecurity Experts Warn That British Government’s Contact Tracing App Could Be Used to Surveil People Even after Coronavirus Has Gone, Business Insider (Apr. 29, 2020),  https://perma.cc/SJF4-DTHF.

[75] Ada Lovelace Institute, Exit Through the App Store? (Apr. 20, 2020), https://perma.cc/3X8E-YQZ4.

[76] House of Lords Library, Contact-tracing Apps: Legislating for Data Protection? (May 13, 2020), https://perma.cc/VFR2-CZQT.

[77] Levy, supra note 24.

[78] Centre for Data Ethics and Innovation, The Ethics of Contact Tracing Apps: International Perspectives (May 12, 2020), https://perma.cc/TJG2-JB49.

[79] House of Commons & House of Lords Joint Committee on Human Rights, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing, (2019-21) HC 343 HL 59 ¶ 3, https://perma.cc/8ECH-3L9P

[80] Id. at 3.

[81] Id. See also Coronavirus: Security Flaws Found in NHS Contact-tracing App, BBC News (May 19, 2020), https://perma.cc/XR8R-GFMB.

[82] NHS COVID-19 App, Ethics Advisory Board Terms of Reference, supra note 47.

[83] NHS COVID-19 App, NHSX, supra note 60.

[84] NHS COVID-19 App, Ethics Advisory Board Terms of Reference, supra note 47.

[85] Centre for Data Ethics and Innovation, supra note 78.

[86] NHS COVID-19 App, Ethics Advisory Board Terms of Reference, supra note 47, App. 1.

Last Updated: 12/30/2020