Personal data collected by the NHS’ coronavirus test and trace system will be stored on Amazon Web Services (AWS) cloud infrastructure.
The detail was revealed in an updated version of the NHS Test and Trace privacy notice. It states that US-based AWS is “providing the secure storage location for the information collected by NHS Test and Trace”.
The programme, which launched today, involves a network of 25,000 contact tracers identifying and tracking who someone infected with Covid-19 has been contact with. The initiative is seen as a key means for the government to gradually ease lockdown restrictions and gain more insight into how the disease spreads.
When published yesterday, the Test and Trace privacy notice made no reference to AWS, the world’s largest cloud provider. Instead, it said that citizens’ data would be “held on PHE’s [Public Health England’s] secure cloud environment, which is kept up to date to protect it from viruses and hacking”.
Other text, including “this information will be held securely by Public Health England” have also been removed from the updated version.
Verdict has contacted the Department for Health and Social Care (DHSC), which sponsors PHE, asking whether Test and Trace data was originally to be stored on a PHE private cloud.
PHE, which is overseeing Test and Trace, came under criticism after it said it will keep personal data from the scheme for up to 20 years.
Data includes full name, data of birth, sex, NHS number, address and post code, contact details and Covid-19 symptoms.
Last month AWS won a contract with the Australian government to store data collected from its own contact-tracing app. This raised concerns that the data may be accessible to the US under the CLOUD Act, forcing the Home Affairs department to confirm that the data will remain in Australia.
Verdict has asked DHSC to confirm where data stored by AWS will reside.
Other private companies listed as providing assistance to the NHS Test and Trace scheme are Serco UK and SITEL group. Both firms will provide additional staff to make calls to the contacts of those that test positive for Covid-19, as well as advice on self-isolation.
The NHS Test and Trace privacy notice states that these organisations, along with AWS, “are only permitted to use information collected by NHS Test and Trace to help with the Covid-19 contact tracing”. It goes on to state that this will only be on the instructions of DHSC and that they “cannot use the contract tracing information for any other purpose”.
NHS app awaits rollout
The NHS contact-tracing app, which is currently being tested on the Isle of Wight, forms part of the Test and Trace system. It is hoped that it will automate much of the contact-tracing process by using mobile phone Bluetooth signals to keep a log of who a person came into close contact with.
In a blog post published on 4 May, NCSC technical director Ian Levy on 4 May, said that ‘anonymous’ proximity data from the NHS contact tracing app will be uploaded to “the NHS server”.
It is unclear if that data will now be stored on an AWS cloud along with the Test and Trace data. Verdict has asked DHSC for clarification.
The Test and Trace system has also failed to complete mandatory privacy checks, with PHE confirming to Politico that it had “yet to complete a so-called data protection impact assessment”, which is a mandatory legal requirement.
Privacy and security academics have also raised concerns about the UK’s decision to opt for a centralised app, which sees some data stored by PHE, instead of a decentralised app which stores all data on the phone and is seen as a more privacy-orientated approach.
Verdict has also contacted AWS for comment.