Addressing some of these concerns, the Ministry of Defence Strategic Command’s innovation hub, jHub, is now supporting NHSx to securely gather and share Covid-19 symptom data for project OASIS.
Several third-party apps and websites have been collecting Covid-19 symptoms and basic demographic data to track the spread of the virus. OASIS will not be receiving, or requesting, data that can identify individuals (e.g. names or GPS specific location data).
Project OASIS is supported by JHub for "coordination and coherence of the Covid-19 symptom tracker apps; including facilitating the secure transfer of relevant symptom and epidemiology data from the third party Covid-19 apps to the NHSx datastore."
Information and any free text inadvertently identifing users is removed so that only symptom and demographic data is included. The data is checked for any security issues, with any incorrect or duplicate data erased, then it is securely shared with NHSX, (NHS England) to understand where the virus is spreading and how quickly.
A government statement says: "Project OASIS will adhere to strict controls to ensure the data sharing meets data protection legislation."
Natasha Gedge, the chief operating officer at jHub, commented: "At jHub, we are always working to deliver for UK Defence and we are proud to be able to take our approach, and apply it in support of the NHS and the people of the UK.
NHSx and jHub say they are only working with apps that have been assessed to the NHS Digital Health Technology Standard or against the Digital Assessment Questionnaire (DAQ) including the following App Providers,
More are reporedly to be announced shortly.
In an email to SC Media UK Grant Goodes, chief scientist at Guardsquare supported the approach to data privacy adopted by OASIS, but nonetheless warned of the dangers posed by potential hackers. He said: "It appears the the NHSx programme (project OASIS) is a well-considered and practical approach which recognises the serious concerns around data privacy while still maintaining effectiveness. Simply put, as an essential element of this programme, Contact Tracing apps must be trusted by the general public, or else will not be broadly installed and adopted, which will defeat their basic effectiveness."
However, he went on to add, "There are two primary elements to ensuring that Public Trust can be established: The first is a basic design with privacy and data-security in mind, and on this front, the OASIS project seems to be on solid ground, with a data-gathering and -sharing model that adheres to the highest standards expected of UK and European governments (as enshrined, for example, in GDPR).
"The second, and equally important aspect is Application Hardening: Even with the best data-security design, the application code itself is vulnerable to exploitation by malicious actors including criminal organisations or even amateur hackers, and as has been demonstrated again and again, the "out of the box" resistance of mobile applications against modern hacking tools and techniques is effectively zero. In order to ensure that Contact Tracing apps do not become a target for exfiltration of personal data, the developers and deployers of these apps must include code- and data-obfuscation protections as well as RASP (Runtime Application Self-Protection)."
An NHS tracing app went on trial on the Isle of Wight on 4 May, and nationwide rollout is scheduled to follow the three week trial, thus by the end of May. To date about half the IOW population have downloaded the app. While the government aim is for 60 percent coverage, the shortfall doees not appear to be due to privacy concerns raised regarding the central data sharing model, but due to older phones not having access plus some segments of the population not being Internet users (about two million in the UK are believed not connected, and another seven million described as having very basic skills/limited usage).
In a separte development, outsourcing firm Serco has apologised after accidentally sharing the email addresses of almost 300 contact tracers, according to BBC News. Serco is one of the companies hiring, training and operating the 15,000 contact tracers who do not have clinical training, and shared the information when emailing trainees to tell them about training.
When the Home Office made a similar error last year it referred itself to the Information Commissioner, but Serco is not intending to do this. The error did not involve patients' data, but does not bode well for a project that is set to ask many thousands of people who have fallen ill to share the details of their friends and acquaintances.
Jake Moore, cybersecurity specialist at ESET commented:“At a time when people are already questioning the app’s privacy concerns, this comes as a serious blow. Apps like this need the public’s inherent trust from the outset, so learning of even a small number of email addresses leaked is a shame. Those affected should remain aware that they could be used in phishing attempts – but luckily the numbers are low enough to mitigate any further risk. There is a genuine dilemma amongst many people as to whether or not we should download this app with the potential privacy concerns. The question is now whether the public will trust the app after this has happened so soon? Moreover, if the app does not achieve the desired uptake, it is flawed from the start.”