Labour MP Harriet Harman, head of the parliamentary Joint Committee on Human Rights, is seeking permission to introduce the committee’s proposed Contact Tracing (Data Protection) Bill before parliament as a private member’s bill, should it not be adopted by the government.
The proposed bill addresses a number of concerns around the implications on human rights of the UK’s contact-tracing app, which is currently undergoing beta tests on the Isle of Wight ahead of a national roll-out.
“We cannot rely on the current, failed, mishmash of protections that were never envisaged for this situation. We need new legislation,” said Harman. “Government collection of our movements and physical contacts would have been unconscionable before, but now it is happening.
“Big powers demand big safeguards. The government should not resist their assurances being put into law. Parliament completed emergency legislation for new powers. It can do it now for new protections.”
The key components of the bill are to: establish the purposes within law for which contact-tracing app data can be gathered; prohibit its use for any other purposes; set out who gets access to it and stop anybody else from getting access to it; ensure the app’s security is certified by the National Cyber Security Centre (NCSC); commit the government to review and report to parliament every 21 days; ensure the data is deleted after the pandemic; and appoint a contact-tracing human rights commissioner.
The committee submitted a draft bill to health secretary Matt Hancock on 7 May 2020, to put his previous assurances on the app’s security on a legal footing, and will today send the bill to Commons leader Jacob Rees-Mogg, requesting that if it is not adopted by the government, that Harman be given permission to introduce it as a private member’s bill.
This is necessary because there is currently no process for private member’s bills to be introduced. In any case, the committee said, Harman will present it as a presentation bill, which will allow its introduction on the floor of the House.
The committee said it believed the bill could be enacted by parliament and receive royal assent very quickly and in time for the roll-out of the app beyond its testing phase.
One of the most pressing concerns about privacy and human rights relating to the app is the fact that the current version operates a centralised data-processing model. This means the data on its users’ Covid-19 status that it generates is sent to, and controlled by, a central server. This is out of step with the decentralised model favoured in much of the rest of the world, whereby the data remains on, and is controlled by, the originating device.
Giving evidence to the Joint Committee on Human Rights earlier in May, Michael Veale, a lecturer in digital rights and regulation at University College London, said that despite Hancock’s assurances, the centralised model could very easily be decrypted into a form that would allow the originating device to be singled out.
He said that knowing this information could help the authorities identify clusters of friends, families, colleagues, or even political activists. It would also allow a device to be tracked very easily.