Undisclosed private companies analysing facial data from NHS app

Fresh privacy concerns raised after NHS refuses to reveal firms used for ID verification process

Undisclosed companies are analysing facial data collected by the NHS app, which is used by more than 16 million English citizens, prompting fresh concern about the role of outsourcing to private businesses in the service.

Data security experts have previously criticised the lack of transparency around a contract with the NHS held by iProov, whose facial verification software is used to perform automated ID checks on people signing up for the NHS app.

The Guardian now understands that French company Teleperformance, which has attracted criticism in the UK over working conditions, uses an opaque chain of subcontractors to perform similar work under two contracts worth £35m.

The NHS app, which is separate from the Covid-19 app, can be used for anything from booking GP appointments to ordering repeat prescriptions. But one feature has driven rapid take up since travel restrictions were lifted in May: the app is the easiest means of accessing the NHS certificate proving an individual’s Covid-19 vaccination status.

The app requires users to go through an ID verification process to access these services, with some people directed to an automated process powered by iProov’s software.

When that process fails or is unavailable, the NHS app falls back on manual checks, in which users record a short video of themselves reading out a set of four numbers, as well as uploading an ID document.

The video is then sent to a team of identity checkers, who compare the ID photo with the user’s face in the video.

A spokesperson for the NHS said these staff were trained by the Home Office and were all based in England. Some work for NHS Digital directly.

But the NHS later admitted that Teleperformance, which performs much of the work, is permitted to subcontract the ID process to other companies.

It said these companies are subjected to “stringent” checks and that identity checkers must complete specialist training, pass quality assurance, audit and supervisory checks, all managed by NHS Digital.

Both NHS Digital and Teleperformance declined to provide a list naming the subcontractors.

The NHS has published a partly redacted version of one of the contracts with Teleperformance, a £7m agreement covering April to June this year, but has not published a larger £28m contract running from June 2021 to March 2022.

It also hasn’t published a data protection impact assessment (DPIA), a document governing how the personal data of people signing up to the NHS app is used, collected and stored.

The NHS is understood to be considering publishing redacted versions of the second contract and the DPIA. Teleperformance did not return multiple requests for comment about how it processes and protects the data its manual checkers receive.

Civil liberties campaign group Big Brother Watch said there was “no reason at all” not to publish contracts and supporting information about the companies involved and their procedures.

“People don’t even know which companies are involved in processing this identification data, where they’re based, or what privacy protections are in place. There is a clear and pressing need for transparency around this curious tech set up,” said director Silkie Carlo.

The concerns echo those expressed earlier this week about iProov’s contract, which also hasn’t been published and is governed by the same DPIA. The government has said the documents have not been published for security reasons.

Dr Stephanie Hare, author of the forthcoming book Technology Ethics, said: “It is best practice to publish as much as is possible for transparency, important especially in government contracts, for building and maintaining trust.

“Security concerns are relevant so there will be aspects that cannot be published because the government does not want its systems breached.

“But the public should be able to know how this works, the track record of the companies doing the work, what happens with the data, who can access it and how.”

A spokesperson for NHS Digital said: “The NHS App is helping millions of people to quickly and easily access their NHS Covid Pass, and frees up time for GP surgeries by allowing people to book appointments and order repeat prescriptions online.

“Our NHS login identity verification process is clearly explained to app users and means people using the NHS App can trust that their data will be safe and secure.”

Teleperformance is a call centre specialist whose clients include the health and education departments of the UK government, NHS Digital, the Student Loans Company, the RAF and the Royal Navy. Its private clients include Vodafone, eBay, Aviva, Volkswagen and the Guardian.

It has been the target of repeated claims that its workers are treated poorly and subjected to surveillance.

At the time, the company said it “complies with all local, national and international laws, regulations and standards … including those regarding security, privacy and compliance.”


Rob Davies

The GuardianTramp

Related Content

Article image
NHS app storing facial verification data via contract with firm linked to Tory donors
Exclusive: campaigners raise privacy concerns over government deal with iProov in England

Rob Davies

15, Sep, 2021 @5:00 AM

Article image
US facial recognition firm faces £17m UK fine for ‘serious breaches’
Clearview AI may have gathered data without people’s knowledge, says Information Commissioner’s Office

Rob Davies

29, Nov, 2021 @8:18 PM

Article image
£140 could buy private firms data on NHS patients

Bupa approved to access sensitive medical records as campaigners question patient consent for release

Randeep Ramesh, social affairs editor

17, May, 2013 @9:23 PM

Article image
The Guardian view on Boris Johnson’s NHS plan: trading patient data | Editorial
Editorial: Donald Trump has made clear he wants a post-Brexit Britain to let US tech companies and big pharma access medical records


08, Dec, 2019 @6:30 PM

Letters: NHS data safeguards
Letters: There are important legal and ethical safeguards that ensure patient confidentiality and never – as your article implied – casual or secret routes for commercial companies to break these rules

27, May, 2013 @7:59 PM

Article image
European parliament says it will not use facial recognition tech
Statement comes after leaked memo on use of technology in security provoked outcry

Jennifer Rankin in Brussels

05, Feb, 2020 @4:08 PM

Article image
Patient data must be safeguarded | Letters
Letters: We believe information from patient records has huge potential to save and improve lives but privacy concerns must be taken seriously


27, Jul, 2015 @6:47 PM

Article image
Facial recognition tech prevents crime, police tell UK privacy case
South Wales force defends use of technology after office worker claims rights breach

Steven Morris and agency

22, May, 2019 @3:50 PM

Article image
Wheely ride-hailing app writes to UK privacy watchdog over Moscow data demands
Firm tells Information Commissioner’s Office it is being pressured into breaking EU privacy laws

Simon Goodley

08, Sep, 2020 @10:41 AM

Article image
Office worker launches UK's first police facial recognition legal action
Ed Bridges, from Cardiff, says ‘intrusive’ technology is used on thousands of people

Steven Morris and agency

21, May, 2019 @4:24 PM