NHSX sets out UK’s COVID-19 contact tracing strategy


Our team: Tim Wright


With calls growing for the UK government to provide a detailed exit strategy from country-wide lockdown, Matthew Gould (NHSX chief executive) and Geraint Lewis (public health doctor and programme lead) recently published a blog discussing their plans to launch a contact-tracing app in the next few weeks. This follows health minister Matt Hancock’s recent announcement that such an app will be deployed for large-scale contact-tracing once the number of new cases of the coronavirus falls. The app will be approved by the chief medical officer prior to its roll out.

Getting back to normal

NHSX, the NHS’s digital innovation unit, believes the tool, which automates the laborious process of contact tracing, will help reduce transmission of the virus by alerting people who may have been exposed so they can take action to protect themselves and others. The app will be part of a wider approach that will involve contact tracing and testing, as well as complementing traditional measures, in order to protect vulnerable groups and those who cannot or do not wish to access digital tools.

The app builds on research carried out by Oxford University’s Nuffield Departments of Medicine and Population Health. It works by logging the distance between phones that have the app installed using Bluetooth Low Energy, providing an anonymous log of how close individuals are to others which is stored securely on their phones. Users becoming unwell with symptoms of COVID-19 can use the app to inform the NHS which can trigger an anonymous alert to other app users with whom they have had significant contact over the previous few days.

The app will also give advice to users who become symptomatic on the course of action they should take e.g. self-isolation, as well as (as part of planned future functionality) allowing users to provide additional information helping the NHS to identify hotspots and trends. NHSX says that this extra information about the spread of COVID-19 will contribute towards protecting the health of others and getting the country back to normal in a controlled way, as restrictions ease.

Privacy and security by design

NHSX say that security and privacy have been prioritised in all stages of the app’s development, starting with the initial design, and user testing, in consultation with the Information Commissioner, and under the supervision of an ethics advisory board chaired by UCL’s Professor Sir Jonathan Montgomery the former head of the Nuffield Council on Bioethics.

Data on the app will only ever be used for NHS care, management, evaluation and research, and users will always be able to delete the app and all associated data whenever they wanted. And as part of NHSX’s commitment to transparency, the key security and privacy designs, and the source code, will be published so that privacy experts can “look under the bonnet” and help ensure the app’s security is world class. An independent assurance board has also been established, which includes experts in mobile apps, data governance and clinical safety, to ensure that the app is stable, resilient, secure, performant, highly usable and effective in the fight against COVID-19.

Centralised v decentralised model

NHSX’s blog says that it was working with Apple and Google on the tracing app – however more recently the BBC has reported that the Apple/Google model (a “decentralised” approach where the matches take place on users’ handsets) has been rejected in favour of a “centralised model” where the matching process – which works out which phones to send alerts to – is done on a server. NHSX is reputed to believe that a centralised system will give it more insight into the spread of COVID-19 spread, and therefore how to evolve the app accordingly. However countries including Switzerland, Estonia, Austria and Germany are all said to be pursuing decentralised designs, believing that they pose less privacy and security risks for end users.

Global approach

A number of other countries have already rolled out their own contact tracing apps as part of their lockdown-exit strategies. Singapore and India were amongst the first and Australia, recently released its COVIDSafe app which uses Amazon Web Services to host users’ data.

Trust in the app

The NHS’s centralised model should allow it to spot trends in a geographical context, for example, if dangerous hotspots are developing. But to to be effective, and to help the country get back to normal, many millions of individuals will need to trust the app and follow the advice that it provides. NHSX says that to earn that trust, it will ensure that its work continues to be based on transparent standards of privacy, security and ethics; hence the efforts it is taking to provide assurance that the app will have world class security and privacy to users and experts alike.

The regulator’s response

Elizabeth Denham, the UK’s information commissioner, who has been supportive of the approach taken to contact tracing, published a blog in relation to NHSX’s plans. NHSX in turn, has put privacy and security at the top of its design and development agenda and can be seen to be giving the subject sufficient weight and priority in order to keep the regulator on board.

View by date:


View by author:


Would you like to hear more?