Digital activists sound the alarm over UK's 'coronavirus datastore' plans
A dozen groups including Liberty and medConfidential have written to Matt Hancock demanding answers
A broad coalition of privacy and digital rights activists have demanded answers to pertinent questions regarding the government's plans to build a COVID-19 datastore, in partnership with several major tech giants.
NHSX revealed plans in March to aggregate thousands of data points into a unified dataset in order to monitor and fight the spread of COVID-19 across the UK. The project would involve consolidating information to help decision-makers gain more visibility into the state of the virus, and how successful the response may be.
The datastore, which is being developed in partnership with Amazon Web Services (AWS), Microsoft, Google, AI firm Faculty, and Palantir, would be managed by NHSX. Moreover, in light of data protection concerns, the Department for Health and Social Care (DHSC) originally pledged that data will either be destroyed or returned in line with the law once the public health emergency has ended.
Anxieties have swelled, however, over reports that the companies involved would be well-positioned to continue providing services based on a very similar model once the coronavirus pandemic has regressed. A report in the New Statesman, for example, suggested the project is likely to outlive COVID-19.
In light of these concerns, a dozen organisations and a string of individuals, including campaigners from openDemocracy, the Open Rights Group, medConfidential and Liberty, have penned a letter addressed to health secretary Matt Hancock.
In it, the signatories urge the NHS to provide the public with more information, as well as take measures to reduce the risk of data sharing and keep the aggregated data under “democratic control”.
The letter cites a report in the Guardian suggesting the companies involved are processing large volumes of confidential patient data in a data-mining operation. One NHS document, for example, suggested Faculty had considered using the data to run a simulation to assess the impact of “targeted herd immunity”, although the company denies any such simulation took place.
“Emergencies require rapid responses, but these responses should also be appropriate, lawful and just,” the letter reads. “It’s unlikely that the NHS’s current plan to build a large-scale Covid-19 datastore meets those principles.
“We understand the need for better health information, but maintain that the public should be consulted throughout the development of the datastore and be able to obtain adequate information about the data-sharing agreements in place.”
Points the letter requests clarification on include what problems the NHS aims to solve by building a datastore, how it's being financed, whether the NHS has considered any tradeoffs, and which agreements are in place with private partners.
The letter also wants the government to reveal who is conducting risk assessments, which specific data points each partner will have access to, and to what extent data access by partners will be audited.
Answers to the questions being put forward are fundamental to maintaining public trust in the NHS and to help keep high-risk personal data safe, the signatories added.
Questions of data protection and privacy have arisen not just in the development of the datastore, but in the development of a contact-tracing app. The COVID-19 app, which is due to be released over the coming weeks, is thought to be key to easing lockdown measures.
The centralised model pursued by the UK government, however, has raised concerns over whether gathering data into a single hub may lead to violations of privacy and data protection principles. As a result, the NHS has even reportedly begun work on a second NHS app, which follows a decentralised model based on an API developed by Google and Apple.