In this cross-posting with The Conversation, De Montfort University’s Professor of Cybersecurity Eerke Boiten describes his experience navigating the UK’s NHS vaccine passport app.
England’s NHS vaccine passport has arrived, and with it the promise of a return to international travel unencumbered by swab tests or lengthy periods of quarantine. Most people will have received this news with excitement, but it’s my job to look closer at what’s going on behind the app. And what I found is troubling.
Instead of impact assessments that provide us with reassurance that risks have been responsibly mitigated, the vaccine passport has been released with a privacy notice that appears to contradict the caution and care the UK government has so far professed to be applying to this controversial technology.
Earlier in 2021, the government acknowledged that “deep and complex issues” around vaccine passports would need addressing before their release. Critics fearful of government data grabs and unfair applications of the technology were placated by the promise that serious limitations would be placed on the application of vaccine passports – ruling out their use in pubs and restaurants, for instance.
Yet that’s not what we see in the new app service’s privacy notice – which is, in its most generous interpretation, rather sloppy. The stated purpose for the vaccine passport is to make it an integral part of “unlocking” society – but that comes with serious surveillance and discrimination concerns.
Trying out the NHS app
On 28 April, the transport secretary, Grant Shapps, made the casual announcement that the NHS App – not the NHS Covid-19 app – was going to be extended to function as a vaccine passport for international travel. This was my cue to install the app and try it out.
Logging in, I discovered the app already knew about my first COVID-19 vaccination, listed alongside all my prescriptions going back 15 years – not information I would normally choose to share at border control.
My app then updated itself on 15 May. A new “Check your COVID-19 vaccine record” tab had appeared, showing my vaccination information on a screen by itself – a sensible update. There was also a web version of the service, with terms of use and a privacy policy that I found reassuring in many ways.
But this was not the vaccine passport functionality, it has now turned out. The next app update, on 18 May, added yet another tab: “Share your COVID-19 status”. Initially it adds “for travel”, but the new privacy notice that accompanies it tells a different story:
As the country resumes normal functions, this data will be useful for further aspects of unlocking as they arise.
International travel was merely an example of how the data would be used. Here lie significant problems that critics have been concerned about for some time. For one, the broader use of vaccine passports raises issues of discrimination between those who have and have not been offered vaccinations.
But using vaccine passports in scenarios other than international travel also necessarily increases surveillance, seeing as you’ll need to prove that the vaccine certificate on your phone truly belongs to you. When we travel internationally, we’re used to carrying a passport along with flight tickets and required vaccination certificates – but for events and social gatherings, we don’t expect to have to identify ourselves.
Concerning privacy policy
The latest privacy policy also contains a long and confusing list of personal data under “The Personal Data we collect and how it is used”, some of which look worryingly sensitive – such as ethnicity, vehicle registration plate, national insurance number, employer, biometric and genetic information and criminal convictions.
The list isn’t an exhaustive collection of all types of “special category data”, which receive extra legal protection due to their sensitivity, so until we receive clarification it’s unclear why such data are even listed. The NHS has expressed that it does not collect this list of data.
The service is designed as a simple and easy means to enable users to show their covid vaccine status for international travel. It does not collect data on national insurance numbers, car registrations, employer or occupation details or any such equivalent data.
— NHS (@NHSuk) May 19, 2021
It’s possible that this confusing list of data items is just copied from a previous privacy policy and pasted into this one – a practice apparently used for some sections of the UK’s Brexit agreement, as was revealed in December 2020. If this is the case, it would reveal a privacy-as-afterthought attitude that’s at odds with how widely used and far-reaching this app looks set to become.
There is reference to a data sharing agreement in the privacy policy, which could reveal the wider scope of the vaccine passport. This data sharing could also be related to the wide range of data stored in the “COVID data store”, run by the government’s digital health agency, NHSX.
Also concerning is the fact that the data governance of the vaccine passport itself is managed by the Department for Health and Social Care rather than being left with the NHS England data service. This puts a UK government department in charge of a service that works only for England – again, it’s unclear why this is the case.
All this leaves me with enough unease about the vaccine passport that I do not intend to sign up to it unless circumstances force me to use it for international travel, and I may still prefer the paper alternative in that case.
Possible reassurances
Is there anything NHSX could do to reassure me? Absolutely. A data protection impact assessment should be produced and published. This would tell us all about what data is actually used, including an explanation of why data collection is both necessary and proportional.
I’d be looking out for an assessment of the risk of “function creep”: the widening of the scope of use, which could see our tickets for international travel converted into something more sinister and concerning. It would also need to address general impacts to rights and freedoms, such as those related to equality.
Performing such an impact assessment is actually specifically legally required, and should already have been done. Publication is unfortunately not compulsory, but we still don’t know whether one was done at all.
For now, however, it appears that the UK government has definitively abandoned its previous cautious position on vaccine passports, without providing any reassurances that would enable broad public support.