NHSX Contact Tracing AppManagement Outsourced to Private Company and to be Accessed Overseas
David Hencke explores COVID-19 contracts worth £8 million handed out by the Government for its controversial centralised collection of personal data.
The management of the new NHS contact tracing app, which could potentially hold anonymised data on millions of British citizens with Coronavirus, is planned to be outsourced in the middle of June to a private firm, according to details of a contract released by NHSX.
Meanwhile, according to these contracts, computer engineers working in other European countries and the Far East will have access to the app as part of a troubleshooting role agreed between the NHS and the Swiss firm.
Details of the planned schedule and management for the launch of the App are among six contracts for the app totalling nearly £8 million released three days ago by NHSX to the government’s contract finding site.
NHSX is planning to have a centralised system of gathering the information rather than relying on the information staying on people’s smartphones through a joint Google Apple app which is used by other countries with the exception of France
The recently published contracts show that two companies, Go Pivotal (UK) Ltd and Zuhlke Engineering Ltd, pick up the vast bulk of the work. Both are offshoots of two major multinational companies.
VMware GO Pivotal, which has two contracts to design and test the app worth £1.8 million, is part of the US giant Dell Technologies group which have a huge range of commercial and military contracts.
The main contract to manage the app, worth £3.9 million, went to Zuhlke Engineering Ltd. Its parent company is Zuhlke Technology Group AG based in Switzerland which has over 10,000 projects and employs well over 1000 people in eight countries.
According to the contract, after a peer view with the Government, Digital Service NHSX plan to hand over the management of the app to Zuhlke in stages between 8 and 15 June.
As part of the management, 37 engineers will be deployed and the company will be “making use of Supplier’s Teams in Asia and Europe”.
Who and where they are has been redacted but the company has teams based in Hong Kong and Singapore and in Belgrade, Sofia, Vienna and cities in Germany and Switzerland who could have access to the project.
The contract also allows the company to use its own premises in Greater London to remotely access the app and all the staff computers to access the app will be supplied by the firm and not NHSX.
Is the UK Dumping the Centralised App?
Zuhlke has also been asked to assess compatibility with the decentralised Google Apple app system as part of the contract.
The contract states: “The Supplier will run a two week timeboxed technical spike to investigate the complexity, performance and feasibility of implementing native Apple and Google contact tracing APIs within the existing proximity mobile application and platform.” This has been interpreted by some commentators as a suggestion NHSX could dump the present system.
However, Matthew Gould, chief executive of NHSX, giving evidence to the House of Commons Science and Technology select committee on 28 April, poured cold water on this approach.
Gould told MPs: “The Apple and Google approach is itself evolving, and it is not there yet. They have said that they will do a two-stage process, first to try to make an API available, allowing those developing contact tracing apps to do so more effectively. The second stage is to develop their own contact tracing product, but we are some way from that second stage, so waiting for them would slow us down considerably.”
The NHSX chief executive is also worried about malicious use.
“One of the concerns around contact tracing is the ability to detect malicious use,” he told MPs. “One way to do that is to look for anomalous patterns.. but we are not clear that a decentralised approach would allow.”
Gould also said it would difficult to trace back contacts of someone who was subsequently tested and found not have the virus who had been told to self-isolate if it was a decentralised system.
Two MPs on the committee, Conservative MP for Heywood and Middleton Chris Clarkson and Zarah Sultana, Labour MP for Coventry South, both raised concerns about privacy and the use of the app.
Gould promised them he would do a data privacy assessment before finally going ahead and publish it. He insisted that the NHS would be the only people who would be able to access the data.
Byline Times put these points to NHSX about the management of the app being handed over to Zuhlke, the security issues surrounding people working abroad being able to access the app, and whether they were dumping the centralised system. NHSX did not reply.