Fresh twist in privacy debate surrounding Covid-19 tracing app, after government reportedly grants GCHQ access to security data of NHS IT tech
Intelligence agency GCHQ (Government Communications Headquarters) has been granted extra powers to obtain information from NHS IT systems, it has been reported.
According to the Health Service Journal (HSJ), the government decision to give GCHQ extra powers to obtain information from NHS IT systems is an effort to bolster the NHS’ cyber defences during the Coronavirus pandemic.
Recently both the United States and the UK cyber officials have warned that hackers are exploiting the global Coronavirus pandemic to carry out cyberattacks.
Under the new powers granted by the government, the NHS must hand over information from its IT systems to GCHQ, HSJ revealed.
Essentially GCHQ can demand the NHS disclose any information which relates to “the security” of the health service’s networks and information systems.
According to a government document published last week, the purpose of the new enhanced powers is so that GCHQ can support and maintain the security of any network and information system which is held by – or on behalf of – the NHS, including systems that support NHS services intended to address coronavirus.
The same powers also apply to public health bodies, as until now GCHQ did not previously have the ability to demand this data under the Computer Misuse Act 1990.
A spokesman for the National Cyber Security Centre told HSJ that the directions were part of “our ongoing commitment to protect health services during the coronavirus pandemic.
“These directions give us consent to check the security of NHS IT systems,” the spokesman reportedly said.
The spokesman said the directions “do not seek to authorise” GCHQ to receive patient data, and he added: “We have no desire to receive any patient data.”
The directions will only apply until the end of 2020, and it is reported that GCHQ has also been advising NHSX on the creation of the new contact tracing app.
But the move will do little to settle disquiet about the new Covid-19 tracing app, after it emerged that the NHS approach is to store users’ data on their phones to ensure privacy, but carry out contact matches on a centralised server.
By contrast, Apple and Google’s decentralised method stores data on the device, and any data is stored on external servers – Apple and Google have promised this data will be anonymised and could not be linked to a specific individual.
A security expert noted that the GCHQ decision could potentially fuel concern about the privacy implications of the new Covid-19 app.
“The Health Service Journal reported that health secretary Matt Hancock has granted the UK intelligence agency GCHQ additional levels of access to NHS health systems,” said Irene Ng, CEO of Dataswift (the company behind SafeTrace).
“This follows a growing trend of Covid-related cyber attacks globally – which is likely the motivation behind the move,” said Ng. “A spokesperson for the Government said that GCHQ will not receive access to patient data. Even so, this news is likely to add fuel to already existing privacy concerns around the handling of the Covid-19 crisis for example, in the use of contact tracing apps that many Governments across the world are now rolling out.”
“The debate around these issues tends to focus heavily on whether or not we can trust Governments, and the NHS, with our health data,” said Ng. “But these debates often conflate trust with privacy. If there is trust, then should privacy not follow?”
“The proper data infrastructure that is required to ensure complete data privacy is something that global corporations struggle with, and many organisations in the last five years have been lured – by the “big data” economy – into thinking they can be a data company too.”
“If some of the largest global corporations are struggling to properly manage customer data, should we be trusting that the Government can?” Ng asked. “There are alternatives to the government model, so we shouldn’t just trust them implicitly just because they asked us to. Privacy (or lack of) is not a trust problem, it’s a data infrastructure problem.”
Can you protect your privacy online? Take our quiz!