back to article UK privacy watchdog confirms probe into NHS England COVID-19 app after complaints of spammy emails, texts

Britain's Information Commissioner's Office (ICO) has confirmed it is investigating grumbles about heavy-handed marketing emails and texts promoting the NHS COVID-19 contact-tracing app in England. Between 26 and 27 September, NHS Test and Trace messaged anyone resident in the country who was over the age of 16 and had …

  1. RockBurner

    Is that what those messages were??

    I think I ignored them.

  2. Anonymous Coward
    Anonymous Coward

    Not that they are worried

    Unelected beaurocrat Cummings will soon replace the ICO bosses with a Tory yes-man/woman

    1. You aint sin me, roit
      Coat

      They won't bother...

      He'll just ignore the ICO's findings, and point out that reading spam email and texts is a good way to test your eyesight...

    2. EnviableOne

      Re: Not that they are worried

      Job for Dame Dido?

  3. Anonymous Coward
    Anonymous Coward

    FFS!

    It's a global pandemic. It kills. We have shut down our economy. And people are getting up -tight over a text message that wants you to download an app that is likely to help us manage things? The day I don't get a single phone call telling me that I've had an accident because the warranty on my washing machine has run out because of the virus on my pc is the day I'll dedicate a flea's fart worth of energy to getting up tight about unsolicited public health messages for my own FFFing good!

    1. Anonymous Coward
      Anonymous Coward

      Re: FFS!

      If you don't complain when government breaks the rules it's a slippery slope. What if they start using this dataset for other things? They have pretty much just used the pandemic as a cover to get the phone number and email address of nearly every single person. Why not write to everyone? It would have been simpler as they already have that dataset from the electoral roll and previous mailing. It would actually have been cheaper than consolidating all the different GP systems data. Let know what other liberties you are going to allow them to take in the name of the pandemic?

      1. Anonymous Coward
        Anonymous Coward

        Re: FFS!

        1. They already have your phone number and email address (driving licence, car tax, inland revenue etc...and if not it's written in a ledger in a shed in Cheltenham).

        2. They can tell me when to wear a mask - I'm good with that.

        3. I would be quite happy if they sent people who fail to quarantine after positive tests to Papua New Guinea.

        4. I can cope with them telling me not to go to the pub after 10pm (way after my bed-time anyway).

        5. In fact if it means me, my family, my friends avoid an unpleasant death in an intensive care ward, I'll accept quite a lot.

        1. Anonymous Coward
          Anonymous Coward

          Re: FFS!

          The examples you gave do not require a phone number or email address and as for the shed in Cheltenham the government themselves don't have access to that due to oversight and the fact that they would have to say why they wanted it. I would bet my house on this data being farmed out to one of Dominic Cumming's mates to send the text messages. Where could they go with this? We already have a kind of curfew but they could go for a full one a bit like martial law. They could close the borders, that's if Brexit doesn't do that for them. The economies gone to pot so what about work camps, that's a jolly good idea. They have the shop your neighbour scheme so why not start employing citizens to keep an eye on other citizens. You see where I'm going this? One minute your government is breaking it's own rules to take your data, the next you're whispering to your neighbour about the good old days hoping no one hears or you'll be off on a fun filled holiday to a re-education camp. This is all hypothetical of course but I don't have a good feeling about this government or where the world in general is going.

        2. Doctor Syntax Silver badge

          Re: FFS!

          "1. They already have your phone number and email address (driving licence, car tax, inland revenue etc"

          Who's "they"?

          DVLA do indeed have one of my email addresses.

          So what? This didn't arrive at that address. It arrived at an address which was given only to a specific private business, my GP.

          You may be lax about your personal information security. Some of us aren't. In may case it's an old habit; my livelihood depended on my ability to handle other people's information securely (and to maintain my own security clearance). I'm hardly likely to adopt lesser standards in relation to my own information or to drop my standards just because I've retired.

          Now that that email address has been shared I'm going to have to discontinue it and set up another for my GP and hope (hope is about the best I can expect) that there'll be no repetition.

          1. Roland6 Silver badge

            Re: FFS!

            >It arrived at an address which was given only to a specific private business, my GP.

            Well GP's are in the business of delivering NHS services, so unless your GP is outside the NHS, all information you supply to your GP belongs to the NHS, with the GP as a data processor. So it is questionable as to whether your "email address has been shared".

            The only other factor is the extent to which GDPR applies to GPs and the NHS and thus whether your GP should have sent out a consent form for you to complete, which would have contained a clause about data sharing.

            1. Macs1000

              Re: FFS!

              I believe that GPs are indeed "outside" the NHS. They are independant contractors, not employees.

              1. Roland6 Silver badge

                Re: FFS!

                Yes GP's might be independent contractors, however, is your relationship with your GP: private or NHS; only private arrangements are truly outside the NHS and only then if they record the appointment on system separate to the NHS patient records system.

            2. Anonymous Coward
              Anonymous Coward

              Re: FFS!

              Err. The app is NOT from the NHS. As we all know it was developed by a private company after the NHS were taken off the job. So it’s a private advert.

              1. Roland6 Silver badge

                Re: FFS!

                >Err. The app is NOT from the NHS. As we all know it was developed by a private company after the NHS were taken off the job.

                Err the app is from the NHS, it is largely irrelelvant who actually developed the app. as they would have done it under contract to the NHS. The only relevant concern is whether the database is inside the NHS is external and the NHS only have access.

                1. tiggity Silver badge

                  Re: FFS!

                  Well its from Serco, part of govt push to privatise NHS - hence the app only works with test results from Serco Covid testing, NOT NHS tests.

                  So call it what it is: Serco Test and Trace

                  All part of the scheme to brand shit outsourced stuff under NHS banner, so Govt have excuse to further stealth privatise NHS saying look how crap it was on testing.

        3. RegGuy1 Silver badge

          Re: FFS!

          3. I would be quite happy if they sent people who fail to quarantine after positive tests all Brexiters to Papua New Guinea.

          There fixed that for you.

      2. Anonymous Coward
        Anonymous Coward

        Re: FFS!

        Ahh, https://yourlogicalfallacyis.com/slippery-slope

        Nobody needs to complain about a single text. IF they start doing more than is necessary, THEN we should complain about it. Complaining at this point about something which may never happen muddies the water about what did happen, which is a single text encouraging people to download an app that saves lives during a global pandemic.

        A single text given the circumstances is reasonable. We still have the option to complain about it when it starts becoming unreasonable.

        1. Anonymous Coward
          Anonymous Coward

          Re: FFS!

          Ahh, I'm already complaining and don't need a slippery slope. I was referencing the other persons apathy therefore there is no logical fallacy.

          That single text from GP data is huge breach of peoples privacy and completely unnecessary. A huge amount of work with an unclear end aim.

        2. This post has been deleted by its author

          1. Doctor Syntax Silver badge

            Re: FFS!

            I take it you received texts from someone with whom you'd shared your mobile number for that purpose. The problem here is that people to whom we've given contact details for one purpose have illegally passed those details to at least one other organisation without permission to do so. How much further has that information been passed?

            The rule of law matters. It matters most when applied to the government and it's an arm of government that appears to have been behind this.

            1. Anonymous Coward
              Anonymous Coward

              Re: FFS!

              I wish my GP had my email address...

              Their idea of technology is the phone. Bu texts? Forget it! Old skool only!

          2. Rich 11 Silver badge

            Re: FFS!

            I didn't take up the offer of free food as that would have included tined spam.

            I'd have happily taken the spam off your hands and added it to my Brexit stash.

        3. Doctor Syntax Silver badge

          Re: FFS!

          "Nobody needs to complain about a single text"

          Or an email in my case. In either case it's not the sending of the text or email that's the problem. The problem is that GPs appear to have been told to break the law at scale by making unauthorised disclosure of PII. It's that disrespect for law, which is becoming a pattern for this government, that's the problem and disrespect for law by a government is a very serious problem.

          1. SundogUK Silver badge

            Re: FFS!

            "which is becoming a pattern for all governments..."

            FIFY.

          2. Roland6 Silver badge

            Re: FFS!

            >The problem is that GPs appear to have been told to break the law at scale by making unauthorised disclosure of PII.

            You have not presented any evidence of this only wild speculation.

            The only evidence you have presented is that you have received emails from the NHS at an address you supplied to your GP. Yes there is reason to question your GP about how this has come about - perhaps the NHS provides a bulk email facility to which GPs can provide a mailing list, tick a box, click okay and you get an email from the NHS in your inbox...

            1. Doctor Syntax Silver badge

              Re: FFS!

              "perhaps the NHS provides a bulk email facility to which GPs can provide a mailing list"

              It does indeed appear to come from a bulk email facility: notifications.service.gov.uk

              It doesn't come from the GP. It doesn't have anything like "Envelope from" my GP. The actual ID there from which it comes is nhs.test.and.trace.covid19.app. A bit opaque, maybe, but possibly from the Serco business contracted to do the test and trace.

              That service, in its short history, has form for email security: https://www.theguardian.com/business/2020/may/20/serco-accidentally-shares-contact-tracers-email-addresses-covid-19 and didn't see the need to refer themselves to the ICO over that incident. And in any event it's all under the control, for want of a better word, of Dido Harding who also has form with overseeing PII in her previous job.

              Plenty of us commented here, right at the start, that trust was absolutely essential for us to have confidence in this operation and that HMGs of all colours have a long history of being untrustworthy in this regard. We also said that appointing Harding was a poor start to building that trust and this just confirms existing suspicions.

          3. Aggienator

            Re: FFS!

            I suspect GPs may not have been told to break the law, but that they have used data collected under direction from the DHSC. DHSC has extensive powers to require data from NHS bodies including GPs under a number of routes, including s254 of the 2012 HSCA and the Control of Patient Information Regulations (COPI).

            It may be that this will raise public awareness of these powers and stimulate a debate on whether they are appropriate.

      3. Graphsboy

        Re: FFS!

        "What if they start using this dataset for other things?" Well then you put in a legitimate complaint over a gross misuse of personal information but getting het up when they send you a single text aiming at preserving your wellbeing is just childish.

        They've had my details for years without me getting evidence that it's been abused (which I would have had if continually spammed etc.) and one text asking me to download an app in all that time is no great hardship.

        1. Doctor Syntax Silver badge

          Re: FFS!

          "They've had my details for years without me getting evidence that it's been abused"

          Who's they?

          Let's be specific here. In my case the "they" who have had this information for years without evidence that it's been abused is my GP's practice. There is now evidence that it's been abused. The abuse is not, repeat not, that spam has been sent; it the practice had sent the email themselves there's have been no problem whatsoever. The abuse is that PII has been passed to a 3rd party. The email is the evidence of that abuse.

      4. Dave559

        Re: FFS!

        I would expect that GP surgeries which have requested mobile numbers or email addresses have them stored on the grounds of something like "managing your health", and so covering a slightly wider purpose than just reminding you when your next appointment is. Encouraging people to install a COVID tracking app during a major health crisis seems a reasonable legitimate use in line with that purpose on those grounds (and not really "marketing").

        Yes, I would be concerned if they started spamming more frequently about trivial health matters (without opt-in), but this seems a reasonable and sensible use case.

        The real question is: who has the data? In my country of the UK, it seems that each GP surgery invents its own wheel for contact systems more or less clunkily (slow handclap), rather than there being a single countrywide NHS database (which would seem more sensible, an economy of scale, and hopefully (hmm) more likely to be more secure and bug free).

        Are we sure that the message wasn't just sent out by individual GP surgeries to all their own patients on behalf of the Government for England, or is it really the case that all of the contact data was actually "shared" and collated elsewhere?

        There is also the real big question that, because GP surgeries all have their own systems, and because those systems are run by commercial third parties, what are the chances that our contact data (but hopefully not health data, which is special category data!) is actually stored in some (hopefully not leaky) AWS bucket, and probably not in the UK/EEA, rather than in an NHS database in the UK, which is really where it should be? The fact that so much data about so many aspects of our lives ultimately ends up in assorted databases managed by a small handful of very large companies based in a country with extremely weak data protection law is the issue that always seems to get overlooked.

        1. Doctor Syntax Silver badge

          Re: FFS!

          "Are we sure that the message wasn't just sent out by individual GP surgeries to all their own patients on behalf of the Government for England"

          Yes we are. That's the whole point. It comes from "nhs.test.and.trace.covid19.app@notifications.service.gov.uk" which certainly isn't a GP. In my case, however, it's clear that the PII comes from my GP because it came to an address provided solely to my GP. It must, therefore, have been provided to them either from the GP practice or by the practice's data processors - of whom I think there are now two.

    2. Anonymous Coward
      Anonymous Coward

      Re: FFS!

      Cancer. It kills. About 3,500 people in England may die within the next five years of one of the four main cancers – breast, lung, oesophageal or bowel – as a result of delays in being diagnosed because of Covid-19, research shows. https://www.thelancet.com/journals/lanonc/article/PIIS1470-2045(20)30388-0/fulltext

    3. Anonymous Coward
      Anonymous Coward

      Re: FFS!

      How is getting uptight about unsolicited public heath messages hurting the response to the pandemic? It's just creating more news coverage about it while reminding those in charge that they have to follow rules too.

      People worrying about governments following their own rules is for your FFFing good!

      Stop being so Daily Mail.

      1. Doctor Syntax Silver badge

        Re: FFS!

        We are not being Daily Mail as you put it.

        The problem isn't the message. The problem is the illegality of sharing PII without consent.

        What makes is serious is HMG using a serious situation to justify that when the message could have been sent on their behalf by people who were entrusted with that PII in order to send such messages. Using a situation like that to set such a precedent is one of the oldest tricks in the book for governments who set out to ignore the law. Whatever the situation governments need to be held to account when they attempt that.

        1. Anonymous Coward
          Anonymous Coward

          Re: FFS!

          He didn't accuse you of being "Daily Mail" - he accused the others. Read again - he was agreeing with you!

        2. anothercynic Silver badge
          Facepalm

          Re: FFS!

          The OP was agreeing with you.

    4. Lee D Silver badge

      Re: FFS!

      Starts there.

      Ends up with the ludicrous situation in America where everyone's phones in the entire state ring with an un-blockable alert at 3am because a missing child on the border at the other side of the state MAY be in that state.

      It's all a worthy cause. Sure. Until you get such alerts every night, can't turn them off, and are never in a position to do anything to aid anyway, being 1000 miles away from where they were last seen.

      Fact is: Law says no. Emergencies do not override laws without emergency laws to change them.

      And when it involves my personal data, and trust of proper use of that data, it's actually counterproductive - as the guy says "I'll just remove my data then so you can't use it at all" because there's no proper unsubscribe.

      If the NHS cannot protect my personal data from use in unsolicited marketing, then you have a big problem there, before you even consider what feature-creep will result in in ten year's time if it's left unchecked. Just because of something that's a non-essential part of a no-longer-emergency situation.

    5. Doctor Syntax Silver badge

      Re: FFS!

      If my GP sends out an email on the NHS's behalf that's fine. I gave my GP* an address on which they could email me. What I didn't do is give them permission to pass it on to some third party. This could have been accomplished within the law. It wasn't. Using this particular situation to needlessly break the law is a bad precedent** which shouldn't be accepted.

      Freedom under the law is a priceless benefit. When governments start disrespecting the law - any law - because it doesn't suit them that benefit is at risk.

      * Remember that although a GP works for the NHS they are an independent business and must follow rules which apply to independent businesses.

      ** Although this government has already demonstrated an intent to break international law as a matter of policy.

      1. Robert Carnegie Silver badge

        Re: FFS!

        Tip: If your e-mail address actually contains the word "spam", most spammers will just not use it, they will assume it's something like "Doctor.Syntax.hates.spam@nhs.uk" which of course a human operator can change to your real address but dumb software can't. This may not work though; no guarantee.

        1. Lee D Silver badge

          Re: FFS!

          Tip: If you give a different email alias to every provider, then when you are spammed you know exactly where it came from, can report them / complain to them, they can't wheedle out of your evidence of their breach of data protection, and you can permanently block that alias without affecting any other email whatsoever.

          It's available for pence on any "catch-all" email forwarding domain. And it has allowed me to threaten court to several companies (who immediately fell over themselves to appease me, including the one who was knowingly using a stolen customer database from a rival company!), know exactly who does look after my information and who doesn't (when you get spam to a companyname@mydomain.com email, it means that Company Name allowed my information to leak!), and let's me cut out spam from companies that demanded an email but from which I have no desire to ever receive one after the initial activation email.

          Currently on about 500+ aliases (I can just make them up and they are valid emails immediately), 27 blocked email aliases for unauthorised information leaks, about 5 threats of legal action for deliberately misusing my information, and about 50+ filters for "this company only ever spams me and has no unsubscribe" in my email that means I get the emails but they just get foldered in case it was anything important. And I've had the same domains for 20+ years.

          And my *actual* email account that I collect it all from is still unpublished and can be changed at any time to another provider without having to do a thing except change the forwarding address (Oh, P.S. even an unpublished, never-provided address gets spam, which means that most of the major email providers have internal leaks... but fortunately, unless the email was addressed to "mydomain.com" or whatever, it was clearly unwanted spam sent direct to the forwarded account anyway, so I can just filter and delete).

        2. Doctor Syntax Silver badge

          Re: FFS!

          Tip: If your e-mail address actually contains the word "spam"

          Sigh.

          Some people just don't get it. Read this as many times as it takes to understand it: it is contrary to the DPA - based on GDPR - to pass on PII without specific, informed consent.

          That is the problem here. Not the message on behalf of the NHS. The passing on of PII without consent. Who knows where it's got to once it's gone?

          1. Robert Carnegie Silver badge

            Re: FFS!

            Well, yes, but I am suggesting a way to make stolen PII be useless and to get naughty people to delete it from their database - in a small way. To have them not bother you.

          2. Aggienator

            Re: FFS!

            There are quite a few other legal gateways to pass PII, and indeed to be required to do so. I suspect that the DHSC has used one of these. There is a lot of data passed to NHS Digital from both GPs and secondary care under these. You can opt out of some, but not all of this through the National Data Opt Out. NHS Digital then produces a register of further disseminations of this data.

            https://digital.nhs.uk/services/data-access-request-service-dars/register-of-approved-data-releases

            https://digital.nhs.uk/services/data-access-request-service-dars/how-the-national-data-opt-out-affects-data-released-by-nhs-digital

      2. Man inna barrel

        Re: FFS!

        I am not too worried at my contact details being given out by my GP, in order to have another organisation contact me about the "test and trace" app. I mean, the general idea of contact details is that you give them out to other people. The worst that could happen is a bit of extra spam. I am hoping that contact details for the mass mailing was all that was given out.

        What I am actually worried about is the app itself, and what personal data it might expose. As of now, I will not be installing it, because on the basis of past history, I expect an omnishambles of epic proportions, and I would rather keep my head down for now. I have not even attempted an install. I suspect registration may require more personal data than is really necessary, which seems to be the norm these days. Perhaps I am being paranoid, but I would prefer to say I am being cynical and realistic.

  4. Captain Hogwash Silver badge

    I got one...

    and pretty sure I've never shared my mobile number with the GP.

    1. xyz Silver badge

      Re: I got one...

      They probably used the cum-o-base they gathered together for the brexit shenanigans. It has everyone on it.

    2. rg287 Silver badge

      Re: I got one...

      I'd assumed they just had the networks push-to-all on public-health grounds (entirely reasonable in this particular scenario). Cell Broadcast Services exist in the standard to support things like Emergency Alerts.

      Emails obviously had to have been sourced from somewhere - my GP has my email, but I didn't get one, just the SMS.

      1. Anonymous Coward
        Anonymous Coward

        Re: I got one...

        I think that's what they're doing. Just ask the networks to send a message to every phone they see.

      2. Captain Hogwash Silver badge

        Re: I got one...

        That probably explains it. My partner, who lives at a different address, didn't get one in spite of frequent calls to and from the GP practice.

      3. Teiwaz
        Holmes

        Re: I got one...

        i don't think I got one (on my phone).

        Quite impressed, as it's an old feature phone and not capable of android or IOS apps.

        +1 for general gumption to all involved.

        I think that brings us back to 'just bang the rocks together, guys'.

      4. Robert Carnegie Silver badge

        Re: I got one...

        Broadcast? Could be. I am in Scotland incidentally and I don't think I've had any of this.

        What would test it is if a Scottish phone owner was in England that day, or vice versa. I hear that Margaret Ferrier MP popped down to London recently...

      5. SundogUK Silver badge

        Re: I got one...

        Not sure about this. I got it on my personal phone (3) but not my work phone (Vodaphone.) They are always together, so unless Voda said no...

    3. Captain Hogwash Silver badge

      Re: I got one...

      Not bothered, just curious...why the downvote? My post seems pretty innocuous and unlikely to inflame emotions.

      1. Commswonk

        Re: I got one...

        My post seems pretty innocuous and unlikely to inflame emotions.

        And that makes a difference how, exactly? This is El Reg, remember. :)

      2. Dabooka
        Happy

        Re: I got one...

        It's El Reg.

        Don't try and figure out why, you'll go nuts as there is no logic. I got one once simply for asking a question.

      3. Anonymous Coward
        Anonymous Coward

        Re: I got one...

        And the third rule of El Reg comments... Don't ever query votes, you'll be downvoted for that!

        1. Dabooka
          Happy

          Re: I got one...

          I really wanted to downvote that comment but I remained strong.

    4. Keith Oborn

      Re: I got one...

      I have. I get text alerts from them. I did NOT get any about the NHS app--.

  5. Doctor Syntax Silver badge

    I noticed the spam but didn't check closely, assuming that, because it came in via the specific email address, that it was the GP sending out messages on behalf of the NHS which would have been acceptable.

    Time to change the email address.

  6. Jemma

    You lot...

    Are actually aware we are talking about a virus that can shut down interferon immune messaging by up to 85%, so the body doesn't recognise an infection. A virus that can switch off your immune system? Then it can interfere with antibody production and the active immune system going after infected cells in a serious infection... And after that triggers cytokine storm - killing by stroke, blood clots (*inch long* blood clots), heart attack and organ failure? Not to mention there are at least 6 clades in the tree of cv19 and maybe 50 different genetic versions..

    Did this somehow escape you?

    Yes, you were spammed technically, boo-fucking-hoo. This message was sent to you in order to save lives. Including possibly yours or your family so FFS..

    STOP BEING SO BLOODY ARROGANT AND SELFISH YOU MINDLESS FRIGGING SNOWFLAKES.

    The human race disgusts me.

    1. You aint sin me, roit

      Re: You lot...

      Yes, we are aware how serious it can be, and what we should do as responsible citizens to stop the spread of infection. That isn't in question.

      The issue is that receiving spam from a source that you might not have expected to have your details can be disconcerting, whether you intend to download the app or not (or in my case after I had already downloaded it).

      Particularly when you know tragic Dido is in charge of the operation...

      Not to mention that an overly heavy-handed approach might be counterproductive. People are still angry with Dominic "I do what I want, you do what I say" Cummings.

      1. Anonymous Coward
        Anonymous Coward

        Re: You lot...

        No, the issue is you are letting your blood pressure rise over something that a) was almost certainly warranted in the current situation and b) is, on a scale of privacy intrusion in everyday life, inconsequential. High blood pressure is a contributory factor in many COVID deaths - so maybe take some time to calm down. (I'd tell you to take a few deep breaths...but that might be insensitive in the circumstances).

        1. Jemma

          Re: You lot...

          It's good then that I have 20% below average BP then isn't it.

          Cv19 kills by distributed clotting mainly so neither is it blood *pressure* within itself - its the density of the blood that's the problem - high cholesterol is therefore a risk.

          However its still more the genetics of your killer-t latches that can be a guide to whether you'll survive or not, because some groups of people will have t-cell latches that are the wrong shape for cv19 (is thought to be why Africans and Asiatics are highly at risk) - there is apparently some correlation between Neanderthal and Denisovan DNA in the immune genes of an individual and a bad outcome.

          But again, a message was sent with the intent to help deal with a worldwide pandemic that has killed the best part of a million people in an extremely nasty way. It's not the same as Amazon spam is it? So why the whining?

          PS: if you have had cv19 and the service is available get tested for antibody harvesting - most will knock out 1000/1500 units per volume of blood but *some* people can produce 5000/10000 units per volume (super producer) due to the B cells being able to hold onto the virus very effectively and for a longer relative period.

          Harvested antibody transplantation can cure a seriously ill cv19 coma patient (to leaving hospital) within a few days.

          This is available in the US under a blanket emergency permit - but YMMV.

          1. Doctor Syntax Silver badge

            Re: You lot...

            "So why the whining?"

            Because HMG decided it was a good opportunity drive a coach and horses through one of our legal protections instead of sending the message legally. This is a government that seems quite cavalier in its approach to following the law. Push back is entirely appropriate.

            1. DavCrav

              Re: You lot...

              "Because HMG decided it was a good opportunity drive a coach and horses through one of our legal protections instead of sending the message legally."

              Hoe do you know. The message was not addressed to you personally, at least the SMS I received wasn't. If, indeed, it was sent to all active phones in a cell, then there is no GDPR violation.

              1. SundogUK Silver badge

                Re: You lot...

                "If, indeed, it was sent to all active phones in a cell..."

                It wasn't. I received it on my personal phone but not my work phone and they're always kept together.

              2. Doctor Syntax Silver badge

                Re: You lot...

                "The message was not addressed to you personally"

                So how did it get to me email address. Just one of my email addresses. The email address given to my GP.

                Can you explain how somebody other than said GP emails me without a breach of the DPA?

        2. Adair Silver badge

          Re: You lot...

          Perhaps it comes down to facts. If the SMS blast was done by asking Service Providers to message all phones registered on their system (as suggested up thread), that is one thing - and seemingly reasonable in the circumstances. If it was done by unilaterally plundering supposedly confidential medical records without so much as a 'by your leave', then that is a completely different matter - regardless of the circumstances.

          Pays to remember that our putative 'Government' is here to serve the well being of the nation, not to treat us as 'serfs', 'chattel', 'units of production' or any other depersonalising treatment.

          Everybody dies of something, sooner or later. It's what we do with the time up to that moment, and the reasons for our choices, that make the difference between mere existence and a 'good life'. Part of that is how we collectively value each other as people. Up until now our successive governments (UK) have not been terrible (relatively), but they could do better - as could all of us. Pray those who presume to lead us don't get worse - and that we (society) make it clear what our values and red lines actually are. As the old saw goes: we get the government we deserve.

        3. Doctor Syntax Silver badge

          Re: You lot...

          "No, the issue is you are letting your blood pressure rise over something that a) was almost certainly warranted in the current situation and b) is, on a scale of privacy intrusion in everyday life, inconsequential."

          No, the issue is that an arm of government is using this as an excuse to break the law.

          The message could have been sent on behalf of the NHS by my GP to an email address I'd provided exclusively to them. They chose not to do that. They chose to harvest that PII, by whatever degree of compulsion is unknown. It's not the message that's the problem, it's the illegal harvesting of data to so it that's the problem.

      2. Commswonk

        Re: You lot...

        People are still angry with Dominic "I do what I want, you do what I say" Cummings.

        I pray for the day when BoJo realises that Cummings is a liability rather than an asset, but I suspect that it might turn out to be the longest prayer known to man. I'm more than slightly surprised that there hasn't been a Cabinet or backbench revolt over his influence.

        1. Eclectic Man Silver badge

          Re: Mr Cummings and BoJo

          You seem to be assuming that BoJo is in charge. I believe that Mr Cummings' post is actually that of Eminence Griese (or Mephistopheles).

          (Expecting multiple down votes for criticising, but hey, one should be honest after all.)

          1. SundogUK Silver badge

            Re: Mr Cummings and BoJo

            Down votes for saying that on the (Woke) Register? You are joking.

          2. Anonymous Coward
            Anonymous Coward

            Re: Mr Cummings and BoJo

            I believe that Mr Cummings' post is actually that of Eminence Griese (or Mephistopheles).

            I always thought his role model was Svengali.

        2. Fruit and Nutcase Silver badge

          Re: You lot...

          "A source close to the Home Office told the Guardian that the prime minister’s chief adviser, Dominic Cummings, had become “obsessed with the Channel crossings” in the weeks before documents on the implications of the idea were produced in mid-September."

          https://www.theguardian.com/uk-news/2020/oct/01/government-offshore-asylum-idea-attacked-as-morally-bankrupt

          He'll probably up sticks and head off east once he's satisfied that the maximum damage has been inflicted on Blighty from which it will take a long time to recover

        3. Doctor Syntax Silver badge

          Re: You lot...

          I'm afraid that the day to have done that is already past. It was the day we learned about the Durham trip. The damage to the government's credibility was done when he wasn't fired. Like you I would welcome his departure right now but it'll just be seen as another U-turn, more belated than most.

      3. Man inna barrel

        Re: You lot...

        What exactly is the problem with receiving an email from an unexpected source? It is not as if the NHS is trying to defraud you. I actually get quite a lot of emails from unexpected sources, that typically originate from sites I registered on, then forgot about.

        1. Doctor Syntax Silver badge

          Re: You lot...

          I don't suppose TT was trying to defraud their users. They just managed to lose control of the users' data twice to those who were trying. With Dido Harding presiding.

          It now appears that T&T have acquired a large database of PII. With Dido Harding presiding.

          T&T operation is subcontracted to Serco. One of their first actions was to lose control of their tracers' email addresses by email

          I repeat again, the problem isn't the unexpected email, it's where the data has got to.

    2. Andre Carneiro

      Re: You lot...

      “ The human race disgusts me.”

      Feel free to leave it...

    3. Anonymous Coward
      Anonymous Coward

      Re: You lot...

      You lost me at SNOWFLAKES - hate that phrase as do I hate the covid fascism mainly been driven from members of the public. (e.g. the lot that were posting on Facebook when people were exercising outdoors wanting everyone to be locked in a house)

      Deaths - the figures from Covid-19 related deaths.

      https://www.ons.gov.uk/peoplepopulationandcommunity/birthsdeathsandmarriages/deaths/bulletins/deathsregisteredweeklyinenglandandwalesprovisional/weekending18september2020

      It's still tracking below the Influenza and pneumonia deaths (which are on an annual cycle anyway).

      There's a separate argument for loss of rights vs. risk - and at the moment - the data is showing the risk reducing as more of the population get it and get well from it. There are papers about it weakening as it passes through the population. Ideally, we'd want to limit the risk of those at risk of harm (which isn't the full population). Let them be sheltered and locked down and let the rest get on with life.

      This pandemic isn't an excuse for removal of those rights nor ignoring privacy and law.

  7. Anonymous Coward
    Anonymous Coward

    Spammy, but also stupid

    We got a text encouraging us to install the app, at 7:30 on Sunday morning. That's a really good way of making sure people decide not to install the app. Sending texts during the hours people are likely either to be awake or not woken up by the text would be something people with functioning brains would think about.

    (For the record, we do have the app: it put me off, but not that much.)

    1. Ken Hagan Gold badge

      Re: Spammy, but also stupid

      I got the text a day after reading about the design flaws (no exit code from a location) and the implementation bugs (no negative test results) so I was well aware of the availability of the app.

      If it has only been downloaded 12 million times then it would appear that most of the population weren't impressed either.

      1. Mark192

        Re: Spammy, but also stupid

        "I got the text a day after reading about the design flaws (no exit code from a location)"

        Happily it's not a flaw.

        The QR code feature is not used to tell you if you've been close to someone but that you may have been in a virus hotspot e.g. in a pub where someone -or some people- have inadvertently left virus over a load of surfaces they've been touching it breathing over.

        In such a situation they won't know who spread it and so signing out gives no useful extra information - it's not used for proximity.

        The 'QR code alert' would tell you that you've been in a virus hotspot and advise you to be alert for symptoms.

        Hope that helps.

  8. Marjolica

    I got the email at 7:41 Sunday. I already had the app installed. On most phone's it's possible to set a 'do not disturb' so it doesn't wake you up with a nocturnal notification. Needless to say mine turns back on at 7:30, as that is also when my wake-up alarm goes off. Normally I make a cup of tea and check for any overnight emails and texts then so for my use case it would make more sense than later in the day as I don't live with my phone except when I'm out and about.

    1. Pascal Monett Silver badge

      Yes, I set my "do not disturb" at 19h every evening : I put my phone in flight mode.

      When I wake up, after washing up, getting dressed and getting my brain in gear, I then open that damn thing to world again by removing flight mode.

      Works perfectly.

  9. MoreBeerPlease
    Facepalm

    What message?

    Bit confused my GP has my contact details and for the rest of household too, but none of us received any message about the app.

    Good to see the messaging is a reliable as the app

    1. AndrueC Silver badge

      Re: What message?

      Same here. I got a message about staying home back during lockdown which I assume was a network wide message. But I've had nothing since and my GP has my details.

      1. Doctor Syntax Silver badge

        Re: What message?

        Maybe you folks have GPs who respect your privacy.

  10. Anonymous Coward
    Anonymous Coward

    Worked as intended

    As the app isn't an NHS app, but a Serco one, this has had the desired effect of allowing a private company access to all that juicy GP data. Move along.

    1. Tony W

      Re: Worked as intended

      It is not a Serco app. They had no connection with the design of the software. If you know better please give references.

      1. Doctor Syntax Silver badge

        Re: Worked as intended

        Serco have the contract to run Track (or Test) and Trace. The email claims to have been sent by them. Basically, if you got the message you have no idea where your PII has got to by now.

  11. JohnMurray

    Old phone = No app, No texts or phone calls from the NHS fuhrer, Herr Cummings.

    Not to worry, 70-year-olds don't get ICU beds anyway...

  12. Warm Braw

    Given the spike in infections...

    ... it's a good job the app is finally here.

    Perhaps it's the app spreading the infection by surreptitiously retrofitting 5G technology to your phone and channelling vaccines into your proudly unmasked face through the microphone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Given the spike in infections...

      Done by Bill Gates no less? :-)

  13. Lazlo Woodbine

    I didn't get a text or email, I guess that's because it's so long since I visited my GP I bet the mobile number on their records is for an old Nokia in a drawer somewhere

  14. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    Head of the ICO

    Is Elizabeth Denham still working from home (in Vancouver)?

  16. davenewman

    Heavily advertised online

    The NHS Covid-19 app keeps coming up in adverts in mobile games (Andoku in my case). So the number of installations might also be affected by that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Heavily advertised online

      Google won't even let me report that ad as inappropriate or spam

  17. Anonymous Coward
    Anonymous Coward

    Only 12.4 M downloads?

    Why are the idiots-that-be claiming 12.4 M downloads as good?

    AIUI about 60% of the population need to download the app before it becomes useful. (A bit like how many people need to catch the disease to gain herd immunity). So they need a h*ll of a lot more downloads before it was worth spending a penny on.

    1. Roland6 Silver badge

      Re: Only 12.4 M downloads?

      >Why are the idiots-that-be claiming 12.4 M downloads as good?

      Well to install you need either a device running iOS 13.5 (released 20 May 2020) or later, or a device running Android Marshmallow (6.0 released October 2015) or later.

      Play are saying 5+M downloads, which would suggest circa 7.4M downloads from the iStore (actual figures not publicly available), which would seem to indicate that many iPhone users do keep their iPhones uptodate - with the numbers indicating that most users will be Joe Public and not El Reg readers.

      It would be interesting to estimate just what the total potential number of compatible devices currently in use, so as to give an indication of market penetration.

      1. browntomatoes

        Re: Only 12.4 M downloads?

        I think you needed an Android phone which had still been receiving OS updates this year, not just Android M. That cuts out most over 2 years old.

        I suspect most downloads are because pubs, restaurants etc are telling patrons they "have to" install the app and check in to come in (they're not supposed to do this and instead offer a manual signing in book if you don't want to use the app, but you can't blame them because if they say app-only then they don't have any need to worry about GDPR, breaches etc of their manual signin records).

        A lot of people are installing the app, checking in, then uninstalling it because they don't trust the app one bit. That's certainly what most of my friends seem to have done.

  18. DSSmith

    somewhat pointless

    received spam SMS on a phone whose OS is too old :-)

  19. Anonymous Coward
    Anonymous Coward

    Spam?

    When I saw the unsolicited e-mail message, I thought it was some sort of phishing attempt (I would guess I wasn't the only one), as I hadn't seen any prior information anywhere that this move was in the offing. I appreciate we're living in troubled times, but I consider this effort to be a bit border-line, and a bit of an "in-your-face" action. Not impressed. Prior warning on TV or in the press that this was about to happen should have been the order of the day - NOT to just pop up, completely out of the blue.

    1. Doctor Syntax Silver badge

      Re: Spam?

      Close. Not prior warning in the press. What you should have seen was a request from your GP to share your PII with a 3rd party.

    2. Anonymous Coward
      Anonymous Coward

      Re: Spam?

      Spammed by Dido's TalkTalk

      Spammed by Dido's NHS

      so, no change there then.

      Disproves what it said about her, she can get some things done effectively.

  20. Eclectic Man Silver badge

    Curioser and curiouser

    I have an iPhone 7. I downloaded the NHS anti-Covid app and had to update the OS to the latest 14.something, then I had to download an update to the app. I did it so that I could use the extremely over-complicated QR code log in thing. Then found out about the inability to input negative test results etc.

    Now, I did sort of get a text message, early one morning. However I was a bit sleepy and couldn't read it for some reason. I opened my phone and the text message app, but the message would still not display properly, and then the phone seems to have lost it, and refused to display any of my saved text conversations. I sent texts to a few friends eventually, and the conversations with each of those re-appeared, but trying to get at the NHS conversation did not work at all. Overnight the rest all mysteriously re-appeared, but no new text message from the NHS.

    So maybe I was sent the message, or not.

    Anyone else have a similar experience?

    (Any chance of a 'Tweedledum and Tweedledee' icon for strange things?)

  21. Anonymous Coward
    Anonymous Coward

    Meanwhile..

    at work we are barred from running the NHS app.

    [not police]

    nominative determinativisn might apply

  22. Anonymous Coward
    Anonymous Coward

    COPI notice

    The UK gov has changed the law about data sharing by health orgs - here’s a link https://www.gov.uk/government/publications/coronavirus-covid-19-notification-of-data-controllers-to-share-information

    There’s a positive duty to share info now.

    Posting as AC for obvious reasons

    1. Doctor Syntax Silver badge

      Re: COPI notice

      Use a serious situation as a pretext for getting rid of public protections. Absolutely classic.

  23. Mark192

    The sending of an unsolicited text message may be considered a step too far but has to be balanced by the boost to my privacy achieved when my mother in law was banned from entering my entire county (along with everyone else too, I should add).

    The real problem is not the receiving of a text but the sharing of data. If the only data shared was a phone number (so no name or other details attached) then the privacy implications are slight. If more details were shared then that is both unnecessary and very serious.

    The Reg article focuses on this but has no further information.

    I'm confused as to why the government hadn't instructed the various mobile phone companies to send a message to all phones registered on their networks... I assume this must not (currently...) be possible.

    1. Eclectic Man Silver badge

      I seem to recall that in the USA, or at least one state of the USA, there was a 'text all mobiles' a while ago. The technical side of it should not be too tricky (mobile comms engineers, please advise).

      I suspect that in times of national emergency there would be the ability for 'Government' to communicate to everyone directly, although some phones (emergency services etc.) may be exempt. This would be a feature of the mobile phone company licence and contract. The question would be whether people who had downloaded the NHS Covid-19 tracking app already did or did not receive the text message.

    2. Diogenes

      but has to be balanced by the boost to my privacy achieved when my mother in law was banned from entering my entire county (along with everyone else too, I should add).

      Scummo in Australia has gone one better, we aren't even allowed to leave the country without special dispensation. We still have many thousands of citizens who cannot return home as airlines are charging first class fares to make it worthwhile to fly the plane, and then @3k AUD per person to pay for quarantine, and there are limits on how many are allowed into quarantine .

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like