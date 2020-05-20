Strategic Command’s innovation hub, jHub, is supporting NHSx to securely gather and share Covid-19 symptom data for project OASIS.

Several third-party apps and websites have been collecting Covid-19 symptoms and basic demographic data to track the spread of the virus. OASIS will not be receiving, or requesting, data that can identify individuals (e.g. names or GPS specific location data).

Project OASIS is supported by JHub for "coordination and coherence of the Covid-19 symptom tracker apps; including facilitating the secure transfer of relevant symptom and epidemiology data from the third party Covid-19 apps to the NHSx datastore."

Information and any free text inadvertently identifing users is removed so that only symptom and demographic data is included. The data is checked for any security issues, with any incorrect or duplicate data erased, then it is securely shared with NHSX, (NHS England) to understand where the virus is spreading and how quickly.

A government statement says: "Project OASIS will adhere to strict controls to ensure the data sharing meets data protection legislation."

Natasha Gedge, the chief operating officer at jHub, commented: "At jHub, we are always working to deliver for UK Defence and we are proud to be able to take our approach, and apply it in support of the NHS and the people of the UK.

NHSx and jHub say they are only working with apps that have been assessed to the NHS Digital Health Technology Standard or against the Digital Assessment Questionnaire (DAQ) including the following App Providers,

Agitate Ink C-19

Collected Cognition - FightCovid.info

Corona-help.co.uk

Evergreen

LetsBeatCovid.net

TrackTogether

YourMD

More are reporedly to be announced shortly.

In an email to SC Media UK Grant Goodes, chief scientist at Guardsquare supported the approach to data privacy adopted by OASIS, but nonetheless warned of the dangers posed by potential hackers. He said: "It appears the the NHSx programme (project OASIS) is a well-considered and practical approach which recognises the serious concerns around data privacy while still maintaining effectiveness. Simply put, as an essential element of this programme, Contact Tracing apps must be trusted by the general public, or else will not be broadly installed and adopted, which will defeat their basic effectiveness."

However, he went on to add, "There are two primary elements to ensuring that Public Trust can be established: The first is a basic design with privacy and data-security in mind, and on this front, the OASIS project seems to be on solid ground, with a data-gathering and -sharing model that adheres to the highest standards expected of UK and European governments (as enshrined, for example, in GDPR).

"The second, and equally important aspect is Application Hardening: Even with the best data-security design, the application code itself is vulnerable to exploitation by malicious actors including criminal organisations or even amateur hackers, and as has been demonstrated again and again, the "out of the box" resistance of mobile applications against modern hacking tools and techniques is effectively zero. In order to ensure that Contact Tracing apps do not become a target for exfiltration of personal data, the developers and deployers of these apps must include code- and data-obfuscation protections as well as RASP (Runtime Application Self-Protection)."

An NHS tracing app went on trial on the Isle of Wight on 4 May, and nationwide rollout is scheduled to follow the three week trial, thus by the end of May. To date about half the IOW population have downloaded the app. While the government aim is for 60 percent coverage, the shortfall doees not appear to be due to privacy concerns raised regarding the central data sharing model, but due to older phones not having access plus some segments of the population not being Internet users (about two million in the UK are believed not connected, and another seven million described as having very basic skills/limited usage).

A list of tracing apps and an assessment of their privacy levels is provided by Samuel_Woodhams, digital rights lead at Top10VPN which provides a t Live Index, as reported by SC Media UK.