Contact tracing and immunity passports: questions for the government

We continue to hear bits and pieces about the way that mobile apps may be developed, and about the possibilities that Immunity Passports might come with intrusive database projects. We have today produced a briefing.

This sets out questions the Government and ICO need to answer in order for the public to understand what these projects may mean for them.

Mobile contact apps

We think that the government needs to urgently explain what its approach to mobile contact tracing apps may be. These are mooted as potentially important for a post lockdown world, where infections need to be identified so people can self-isolate. The government needs to explain the clinical basis for its approach – there is some controversy about how well these tools may work. Proximity, even based on relatively accurate Bluetooth connections, will not always be the same as risky contact, for instance.

The governmment must explain how privacy is protected, not least so that it has a good chance of persuading vast numbers of people to install and run these apps: it needs something like 60% of adult to use the app; and 80% of adults have a smartphone. Most of those will need to install it.

There are different potential approaches, and a series of possible technologies being developed. Some are centralised, others decentralised. The European PEPP-PT project (“Pan-European Privacy-Preserving Proximity Tracing”) appears to be co-ordinating and potentially picking which approach to use. However, the government has made no statement about how it is working with PEPP-PT. 

Related to this, contact tracing, whether using Bluetooth location data or not, will need to work across borders. The PEPP-PT project recognises this; we need to know how the government will work to ensure this can take place, again while protecting privacy.

Immunity passports

The idea of ‘immunity passports’ is being pursued by the government. Potential approaches could preserve privacy, through using ‘attestation’ from trusted parties. However, other approaches could involve centralised databases, potentially of the whole population, recording their immunity status.

Here we again need clarity from the government about the likely approach, governance model, and so on.

ICO advice

Privacy and data protection continue to be important in the crisis, in order to maintain trust and the rule of law. The ICO has a critical role explaining some of the difficult aspects of law, and also to state the duties of private and non-health government organisations during the crisis.

The ICO should explain when it intends to release advice.

Legal analysis

Our document gives a brief overview of data protection law in this area. In short, data protection laws and protections continue to apply, even when exceptional arrangements are in place. In particular: lawfulness, fairness and transparency; purpose limitation; data minimisation; storage limitation; integrity and confidentiality continue to be required.


Our briefing does not cover surveillance law; here we again need aq great deal of clarity about the use of existing government powers. We will be following with a further briefing. you can also read this blog by Javier Ruiz detailing some of our thoughts.

Full briefingread here.