Undisclosed companies are analyzing facial data collected by the NHS app, which is used by more than 16 million UK citizens, raising new concerns about the role of outsourcing to private companies in the service.
Data security experts have previously criticized the lack of transparency around an NHS contract held by iProov, whose facial verification software is used to perform automated identity checks on people signing up for the NHS application.
The Guardian now understands that French company Teleperformance, which has drawn criticism in the UK over working conditions, is using an opaque chain of subcontractors to perform similar work under two contracts worth $ 35. million pounds sterling.
The NHS app, which is separate from the Covid-19 app, can be used for everything from booking GP appointments to ordering repeat prescriptions. But one feature has led to rapid adoption since travel restrictions were lifted in May: The app is the easiest way to access an NHS certificate proving an individual’s Covid-19 vaccination status.
The app requires users to go through an identity verification process to access these services, with some people being directed to an automated process powered by iProov software.
When this process fails or is unavailable, the NHS app resorts to manual checks, in which users record a short video of themselves reading a set of four digits, as well as uploading a document. identity.
The video is then sent to a team of ID verifiers, who compare the ID photo with the user’s face in the video.
An NHS spokesperson said the workers had been trained by the Home Office and were all based in England. Some work directly for NHS Digital.
But the NHS later admitted that Teleperformance, which does much of the work, is allowed to outsource the identification process to other companies.
He said these companies are subject to “strict” controls and identity verifiers must undergo specialized training, pass quality assurance, audit and oversight checks, all managed by NHS Digital.
NHS Digital and Teleperformance both declined to provide a list naming the contractors.
The NHS has published a partially edited version of one of the contracts with Teleperformance, a £ 7million deal spanning April through June this year, but has not published a larger £ 28million contract from June 2021 to March 2022.
Nor has it issued a Data Protection Impact Assessment (DPIA), a document governing how the personal data of people signing up for the NHS app is used, collected and stored.
The NHS plans to release drafted versions of the second contract and the DPIA. Teleperformance has not returned multiple requests for comment on how it treats and protects the data its manual reviewers receive.
Civil Liberties Campaign Group Big Brother Watch said there was “no reason” not to publish contracts and supporting information on the companies involved and their procedures.
“People don’t even know which companies are involved in processing this identifying data, where it is based, or what privacy protections are in place. There is a clear and pressing need for transparency around this curious technological configuration, ”said Director Silkie Carlo.
The concerns echo those voiced earlier this week about iProov’s contract, which has also not been released and is governed by the same DPIA. The government said the documents had not been released for security reasons.
Dr Stephanie Hare, author of the forthcoming book Technology Ethics, said: “It is good practice to publish as much as possible for transparency, which is important especially in government contracts, to build and maintain trust.
“The security issues are relevant, so there will be aspects that cannot be released because the government does not want its systems to be breached.
“But the public should be able to know how it works, the backgrounds of the companies doing the work, what’s going on with the data, who can access it and how.”
A spokesperson for NHS Digital said: ‘The NHS app helps millions of people access their NHS Covid Pass quickly and easily and frees up time for general surgeries by allowing people to book appointments and order repeat prescriptions online.
“Our NHS sign-in identity verification process is clearly explained to app users and means that people using the NHS app can be confident that their data will be safe and secure.”
Teleperformance is a call center specialist whose clients include the UK government health and education departments, NHS Digital, the Student Loans Company, the RAF and the Royal Navy. Its private clients include Vodafone, eBay, Aviva, Volkswagen and The Guardian.
It has been the target of repeated claims that its workers are treated badly and are subject to surveillance.
At the time, the company said it “complies with all local, national and international laws, regulations and standards … including those relating to security, privacy and compliance.”