Undisclosed companies are analysing facial data collected by the NHS app, which is used by more than 16 million English citizens, prompting fresh concern about the role of outsourcing to private businesses in the service.
Data security experts have previously criticised the lack of transparency around a contract with the NHS held by iProov, whose facial verification software is used to perform automated ID checks on people signing up for the NHS app.
The Guardian now understands that French company Teleperformance, which has attracted criticism in the UK over working conditions, uses an opaque chain of subcontractors to perform similar work under two contracts worth £35m.
The NHS app, which is separate from the Covid-19 app, can be used for anything from booking GP appointments to ordering repeat prescriptions. But one feature has driven rapid take up since travel restrictions were lifted in May: the app is the easiest means of accessing the NHS certificate proving an individual’s Covid-19 vaccination status.
The app requires users to go through an ID verification process to access these services, with some people directed to an automated process powered by iProov’s software.
When that process fails or is unavailable, the NHS app falls back on manual checks, in which users record a short video of themselves reading out a set of four numbers, as well as uploading an ID document.
The video is then sent to a team of identity checkers, who compare the ID photo with the user’s face in the video.
A spokesperson for the NHS said these staff were trained by the Home Office and were all based in England. Some work for NHS Digital directly.
But the NHS later admitted that Teleperformance, which performs much of the work, is permitted to subcontract the ID process to other companies.
It said these companies are subjected to “stringent” checks and that identity checkers must complete specialist training, pass quality assurance, audit and supervisory checks, all managed by NHS Digital.
Both NHS Digital and Teleperformance declined to provide a list naming the subcontractors.
The NHS has published a partly redacted version of one of the contracts with Teleperformance, a £7m agreement covering April to June this year, but has not published a larger £28m contract running from June 2021 to March 2022.
It also hasn’t published a data protection impact assessment (DPIA), a document governing how the personal data of people signing up to the NHS app is used, collected and stored.
The NHS is understood to be considering publishing redacted versions of the second contract and the DPIA. Teleperformance did not return multiple requests for comment about how it processes and protects the data its manual checkers receive.
Civil liberties campaign group Big Brother Watch said there was “no reason at all” not to publish contracts and supporting information about the companies involved and their procedures.
“People don’t even know which companies are involved in processing this identification data, where they’re based, or what privacy protections are in place. There is a clear and pressing need for transparency around this curious tech set up,” said director Silkie Carlo.
The concerns echo those expressed earlier this week about iProov’s contract, which also hasn’t been published and is governed by the same DPIA. The government has said the documents have not been published for security reasons.
Dr Stephanie Hare, author of the forthcoming book Technology Ethics, said: “It is best practice to publish as much as is possible for transparency, important especially in government contracts, for building and maintaining trust.
“Security concerns are relevant so there will be aspects that cannot be published because the government does not want its systems breached.
“But the public should be able to know how this works, the track record of the companies doing the work, what happens with the data, who can access it and how.”
A spokesperson for NHS Digital said: “The NHS App is helping millions of people to quickly and easily access their NHS Covid Pass, and frees up time for GP surgeries by allowing people to book appointments and order repeat prescriptions online.
“Our NHS login identity verification process is clearly explained to app users and means people using the NHS App can trust that their data will be safe and secure.”
Teleperformance is a call centre specialist whose clients include the health and education departments of the UK government, NHS Digital, the Student Loans Company, the RAF and the Royal Navy. Its private clients include Vodafone, eBay, Aviva, Volkswagen and the Guardian.
It has been the target of repeated claims that its workers are treated poorly and subjected to surveillance.
At the time, the company said it “complies with all local, national and international laws, regulations and standards … including those regarding security, privacy and compliance.”