NHSX, the digital arm of the NHS, has taken a different path in developing its coronavirus contact tracing app to that proposed by US tech giants Google and Apple.

Contact tracing apps, apps designed to automatically alert members of the public about whether they have been in close contact with an individual who has contracted coronavirus, have been lauded as a solution to fighting the coronavirus pandemic. However, they raise questions about the delicate balance to be struck between acting in the collective good and individual privacy rights, particularly in nations falling within the scope of the GDPR and similar legislation. Additionally, they are at their most effective when user adaptation is high. Europe-based app designers are debating the merits between centralised approaches, such as that adopted by NHSX, and decentralised approaches, such as Google and Apple’s joint solution.

NHSX argues that the centralised approach, where data is stored on a centrally managed server, allows it to get more insight into the coronavirus spread and evolve its systems accordingly. However, this raises some concerns from  privacy and information security perspectives. Significant technical and organisational measures would need to be taken to protect large volumes of data stored centrally from cyber criminals. With cyber security incidents on the rise during the pandemic, NHSX would be wise to invest in this. From a privacy perspective, concerns about function creep are very much alive, with some organisations being concerned about centralised contact tracing apps’ vulnerability to being repurposed to conduct unwarranted mass surveillance. By contrast, the decentralised approach does not require data to be transferred from individuals’ handsets, decreasing the risk of function creep and the overall security risk. 

It is important that these concerns are addressed properly to avoid impacting user adoption- after all, these apps aren't going to be effective if people don't use them.