According to the review here: https://osf.io/preprints/lawarxiv/6fvgh

There are several GDPR compliance problems that must be cleaned up before this app can legally be allowed to be released and used by people in the European Union.

Page 6: Deprivation of the right of erasure (GDPR, art 17)
"The NHSX App appears to deny people access to the right to erasure (also called the 'right to be forgotten') without a specified lawful reason for doing so"

"The data can be deleted as long it is on your own device. Once it is uploaded, it becomes enmeshed in wider data, and the technical difficulties of deleting it at that point become tricky"

This would be a violation of the GDPR. Since you are obliged to delete data from your system on request by the user. It would be illegal and contrary to the law itself to release an application which specifically denies this right as a purposely built in functionality.

Then there is another issue:
Page 7: Unlawful deprivation of the right of access (GDPR, art 15)

Again, contrary to the law and legal obligations.

If you continue to read this document, you find more and more privacy violations and issues with its data collection and retention techniques.

It appears that the NHS application is being built deliberately to violate that law despite it being subject to fines to do so.

It appears that the NHS is planning to just steamroll over peoples privacy with an application on the premise of a "Install it or you might die" scare tactic and bully people into giving up their rights despite laws already enacted and in place to protect those rights and in the hope that people don't file lawsuits in order to draw attention to these privacy and legal violations.

It's morally wrong to give people this choice. Install a privacy violating phone tracking application, or suffer the consequences of potentially dying.

Steamrolling over peoples rights like this cannot be allowed to become an acceptable practice and allowing this application to do that will encourage other more unscrupulous people to take things a step further.

I just want to add to this because I think some people might have misunderstandings about responsibilities. I got an email with a reply, but I think the reply was deleted before I could respond. I will address the contents of the email Github sent to me.

1. It's not my problem if deleting my data from your system is hard, it's your responsibility to make it happen. It's not my responsibility to accommodate your badly designed system which cannot comply with the law

2. If malicious deletions are a problem. Then it's the application developers responsibility to ensure that I can still delete my data in a secure fashion. It's not my responsibility in any way if deleting data is error-prone or problematic due to insufficient design

3. It doesn't matter if deleting my data affects the functioning of the system, as in other users cannot now match with the information my data provided. The law is the law. It's maybe not ideal. But if your system cannot comply with the law and function correctly. Then the system must be redesigned. Again, that's not my responsibility. The responsibility for this lies squarely at the author's feet.

4. The device ID containers PII and it's transmitted to the server, in addition, the Sonar ID as I understand it is hidden away in an inaccessible part of the application and it's used to generate derivative information, which can be related back to the PII. Therefore it's not anonymous at all. It's pseudo-anonymous. Which isn't anonymous and therefore it's still covered by the rules of PII. Also is used part of the postal code provided by the user when installing the application. Which is clearly PII.

The severity and need for an application to perform contract tracking does not override my rights as a citizen and if it's used as a means to steamroll over my freedoms, then it should be pushed back against. Especially if there are alternatives which provide the same functionality, but without the problematic GDPR violations that this application inflicts upon it's users.

I would naturally expect that the NHS, given its experience with personal information would already know it's obligations under the GDPR. But clearly the application developers have not taken the appropriate courses to know how to how in this case, how not to handle GDPR compliance.

Thanks for this, Chris. I am not a privacy lawyer, so I cannot answer these questions directly.

You can read about the GDPR advice we have received at https://www.nhsx.nhs.uk/covid-19-response/data-and-information-governance/information-governance/covid-19-information-governance-advice-ig-professionals/

In addition:

We have been consulting on our plans with the Information Commissioner (see this blog), the National Data Guardian’s Panel and the Centre for Data Ethics and Innovation, as well as with representatives from Understanding Patient Data and volunteers who provided a patient and public perspective. We have established an ethics advisory board for the app, chaired by Professor Sir Jonathan Montgomery from University College London who previously headed the Nuffield Council on Bioethics. Their advice and expertise will be crucial to everything we do.
https://www.nhsx.nhs.uk/blogs/digital-contact-tracing-protecting-nhs-and-saving-lives/

Thanks for your reply. The link given does refer to some articles of the GDPR, however, they fail to address articles 15 and 17 as mentioned above.

It would appear that the advice you have received is incomplete and does not cover all of the responsibilities that you are under an obligation to inform yourself about and appropriately handle.

As a handler of private data, you are under the obligation to follow and adhere to the articles, including the ones you don't know about. You need to acquire more advice, specifically about the areas mentioned and how the application will ultimately break the law unless changes are made.

Many thanks. I'll pass this advice on. As this is a repository for technical issues, I'll be closing this issue.