Friday, September 24, 2021
Secrecy and opacity behind the covid passport
Reluctantly, I have registered with the NHS App and got myself a covid passport because the Labour-run Welsh Government insists that I cannot attend Swans games without it. The registration process was both bizarre and unsettling, requiring me to record a selfie video reading out four letters to enable authentication. Is this really acceptable and why are Welsh Labour backing up the Tories in this potential data-breach minefield? Are Labour Ministers comfortable with the lack of transparency behind contracts and data storage involved in this process?
The Guardian reports that undisclosed companies are analysing facial data collected by the NHS app, prompting fresh concern about the role of outsourcing to private businesses in the service. They add that data security experts have previously criticised the lack of transparency around a contract with the NHS held by iProov, whose facial verification software is used to perform automated ID checks on people signing up for the NHS app.
However the paper says that it now understands that French company Teleperformance, which has attracted criticism in the UK over working conditions, uses an opaque chain of subcontractors to perform similar work under two contracts worth £35m:
A spokesperson for the NHS said these staff were trained by the Home Office and were all based in England. Some work for NHS Digital directly.
But the NHS later admitted that Teleperformance, which performs much of the work, is permitted to subcontract the ID process to other companies.
It said these companies are subjected to “stringent” checks and that identity checkers must complete specialist training, pass quality assurance, audit and supervisory checks, all managed by NHS Digital.
Both NHS Digital and Teleperformance declined to provide a list naming the subcontractors.
The NHS has published a partly redacted version of one of the contracts with Teleperformance, a £7m agreement covering April to June this year, but has not published a larger £28m contract running from June 2021 to March 2022.
It also hasn’t published a data protection impact assessment (DPIA), a document governing how the personal data of people signing up to the NHS app is used, collected and stored.
The NHS is understood to be considering publishing redacted versions of the second contract and the DPIA. Teleperformance did not return multiple requests for comment about how it processes and protects the data its manual checkers receive.
Civil liberties campaign group Big Brother Watch said there was “no reason at all” not to publish contracts and supporting information about the companies involved and their procedures.
“People don’t even know which companies are involved in processing this identification data, where they’re based, or what privacy protections are in place. There is a clear and pressing need for transparency around this curious tech set up,” said director Silkie Carlo.
The concerns echo those expressed earlier this week about iProov’s contract, which also hasn’t been published and is governed by the same DPIA. The government has said the documents have not been published for security reasons.
Dr Stephanie Hare, author of the forthcoming book Technology Ethics, said: “It is best practice to publish as much as is possible for transparency, important especially in government contracts, for building and maintaining trust.
“Security concerns are relevant so there will be aspects that cannot be published because the government does not want its systems breached.
“But the public should be able to know how this works, the track record of the companies doing the work, what happens with the data, who can access it and how.”
Perhaps Welsh Labour Ministers will publish these details, seeing as they are using this app, or at least publicly call on the UK government to do so.
The Guardian reports that undisclosed companies are analysing facial data collected by the NHS app, prompting fresh concern about the role of outsourcing to private businesses in the service. They add that data security experts have previously criticised the lack of transparency around a contract with the NHS held by iProov, whose facial verification software is used to perform automated ID checks on people signing up for the NHS app.
However the paper says that it now understands that French company Teleperformance, which has attracted criticism in the UK over working conditions, uses an opaque chain of subcontractors to perform similar work under two contracts worth £35m:
A spokesperson for the NHS said these staff were trained by the Home Office and were all based in England. Some work for NHS Digital directly.
But the NHS later admitted that Teleperformance, which performs much of the work, is permitted to subcontract the ID process to other companies.
It said these companies are subjected to “stringent” checks and that identity checkers must complete specialist training, pass quality assurance, audit and supervisory checks, all managed by NHS Digital.
Both NHS Digital and Teleperformance declined to provide a list naming the subcontractors.
The NHS has published a partly redacted version of one of the contracts with Teleperformance, a £7m agreement covering April to June this year, but has not published a larger £28m contract running from June 2021 to March 2022.
It also hasn’t published a data protection impact assessment (DPIA), a document governing how the personal data of people signing up to the NHS app is used, collected and stored.
The NHS is understood to be considering publishing redacted versions of the second contract and the DPIA. Teleperformance did not return multiple requests for comment about how it processes and protects the data its manual checkers receive.
Civil liberties campaign group Big Brother Watch said there was “no reason at all” not to publish contracts and supporting information about the companies involved and their procedures.
“People don’t even know which companies are involved in processing this identification data, where they’re based, or what privacy protections are in place. There is a clear and pressing need for transparency around this curious tech set up,” said director Silkie Carlo.
The concerns echo those expressed earlier this week about iProov’s contract, which also hasn’t been published and is governed by the same DPIA. The government has said the documents have not been published for security reasons.
Dr Stephanie Hare, author of the forthcoming book Technology Ethics, said: “It is best practice to publish as much as is possible for transparency, important especially in government contracts, for building and maintaining trust.
“Security concerns are relevant so there will be aspects that cannot be published because the government does not want its systems breached.
“But the public should be able to know how this works, the track record of the companies doing the work, what happens with the data, who can access it and how.”
Perhaps Welsh Labour Ministers will publish these details, seeing as they are using this app, or at least publicly call on the UK government to do so.