Privacy concerns raised over NHS deal with iProov for facial data collection

Privacy concerns raised over NHS deal with iProov for facial data collection. Image Credit: NHS

Image:
Privacy concerns raised over NHS deal with iProov for facial data collection. Image Credit: NHS

iProov has received financial backing from private equity group which counts two Tory party benefactors among its three partners

Privacy campaigners in England have voiced concerns over a NHS contract with private firm iProov for collection of facial verification data from citizens in England.

The Guardian reports that privacy groups are concerned about the secrecy surrounding the use of NHS app data and the opacity of the relationship between government and London-based iProov, which specialises in authentication software.

The NHS app in question is different from the NHS Covid-19 app, which is used for contact tracing. Currently, people can use the NHS app to access a range of NHS services, such as accessing medical records, arranging appointments to see a doctor, requesting repeat prescriptions, organ donation preference, etc.

The number of app users reached 10 million this year after it was updated to verify an individual's vaccine status for entry to events such as football matches or for foreign travel.

The app asks some users for biometric facial verification by default, although they are also allowed to opt out of the process.

Users can create an NHS login remotely by uploading a valid piece of government photo ID, such as a driver's licence or passport.

Once a photo is uploaded, the user receives a prompt asking them to position their face within a designated area on their screen. The video is then sent to iProov, which uses Flashmark facial verification technology to verify the identity of the user.

The app also asks users to upload their phone number, postcode, date of birth, during the sign-up process. Once authentication is confirmed, users can access all services available via the NHS app such as making GP appointments and ordering repeat prescriptions.

Privacy group say the process used to collect and store facial verification data from NHS app users lacks accountability and transparency.

iProov has been linked to Conservative donors, according to The Guardian, and has also received financial backing from private equity group JRJ, which counts two Tory party benefactors among its three partners.

One JRJ partner, the former Lehman Brothers executive Jeremy Isaacs, reportedly donated £661,500 to the Conservative Party and its MPs between June 2006 and February 2021. Another partner, Roger Nagioff, donated £448,500 between May 2004 and February 2020.

"We're deeply concerned by the secrecy surrounding facial verification and data flows in the NHS app, particularly given the involvement of a private company," said Jake Hurfurt, head of research and investigations at civil liberties group Big Brother Watch.

"Anyone who sends personal information to a private company, at the encouragement of the NHS, has a right to know exactly what happens to their data."

Dr Stephanie Hare, author of Technology Ethics, said: "Transparency, explainability and accountability are the holy trinity of technology ethics and they fall down on every one of them."

This is the just latest scandal to emerge around the interaction between private companies and the NHS.

In April, Unite Union, which has 100,000 members in the health service, had alleged that 'a culture of Tory cronyism is rapidly enveloping the NHS' and only maximum openness and transparency could start to reverse the trend.

"It appears that the government is more interested in boosting the bank balances of the few than the health and welfare of the many," Unite national officer for health Colenzo Jarrett-Thorpe said.

Earlier in March, Civil liberties group openDemocracy announced an 'important victory' over NHS' secretive data deals with controversial firm Palantir. The group said that the UK government was forced to make a U-turn following its lawsuit over involvement of Palantir in the NHS Covid-19 data store.

At that time, the government committed to not extending Palantir's contract beyond Covid without consulting the public and also agreed to engage the public, via patient juries, before deciding whether firms like Palantir should be offered long-term contracts in the NHS at all.