Britain’s Information Commissioner’s Office (ICO) has confirmed it is investigating grumbles about heavy-handed marketing emails and texts promoting the NHS COVID-19 contact-tracing app in England.
Between 26 and 27 September, NHS Test and Trace messaged anyone resident in the country who was over the age of 16 and had previously provided their contact details to a GP. Those contacted had not specifically opted in to receive marketing communications regarding the NHS COVID-19 app.
In its FAQ, the NHS justified the mass email-and-text blast by underlining the urgency of the current situation. “It was determined a matter of public health importance to encourage people to download the app as a critical part of NHS Test and Trace,” it wrote.
“England is experiencing a second peak of coronavirus transmission, resulting in a number of local restrictions and tightening of national restrictions. Encouraging people to download the NHS COVID-19 app is considered by the Department of Health and Social Care (DHSC) to be a highly important tool for managing and monitoring the outbreak, and a matter of public interest.”
In a statement sent to The Register, the ICO confirmed it had started investigating people’s gripes though it did not disclose to us how many it had received. “We have received complaints in relation to text and email messages being sent about the NHS COVID-19 app and we are making enquiries,” said an ICO spokesperson.
NHS COVID-19 launched on 24 September for England and Wales – Scotland and Northern Ireland already had their own COVID-19 awareness apps by this point.
The software arrived at an acutely challenging moment for the UK’s fight against the pandemic. Infection rates have skyrocketed, prompting local lockdowns across large parts of Wales and northern England. Given these circumstances, cybersecurity expert Professor Alan Woodward, of the University of Surrey, understood why the NHS opted for the path it took – although he noted the data should be used with the strictest safeguards.
“I suppose I can see why they did it,” he said. “What I was unaware of, and so I suspect are others, is that GPs share our phone numbers with other parts of the NHS. It would be nice to know how it is protected and specifically how NHS digital are ensuring it doesn’t become a victim of hackers.
“Much, I suspect, may depend on how it is stored. If it’s stored and associated with other personal data, it represents an incredible target. It would effectively be the phone number of everyone over 16 who has a mobile phone (assuming they registered the mobile with their GP which most do ask for as they now send texts from the local surgeries with things such as appointment reminders).”