Undisclosed companies are analysing facial data collected by the NHS app, which is used by more than 16 million English citizens, prompting fresh concern about the role of outsourcing to private businesses in the service.
Data security experts have previously criticised the lack of transparency around a contract with the NHS held by iProov, whose facial verification software is used to perform automated ID checks on people signing up for the NHS app.
The Guardian now understands that French company Teleperformance, which has attracted criticism in the UK over working conditions, uses an opaque chain of subcontractors to perform similar work under two contracts worth £35m.
The NHS app, which is separate from the Covid-19 app, can be used for anything from booking GP appointments to ordering repeat prescriptions. But one feature has driven rapid take up since travel restrictions were lifted in May: the app is the easiest means of accessing the NHS certificate proving an individual’s Covid-19 vaccination status.
The app requires users to go through an ID verification process to access these services, with some people directed to an automated process powered by iProov’s software.
When that process fails or is unavailable, the NHS app falls back on manual checks, in which users record a short video of themselves reading out a set of four numbers, as well as uploading an ID document.
The video is then sent to a team of identity checkers, who compare the ID photo with the user’s face in the video.
A spokesperson for the NHS said these staff were trained by the Home Office and were all based in England. Some work for NHS Digital directly.
But the NHS later admitted that Teleperformance, which performs much of the work, is permitted to subcontract the ID process to other companies.
It said these companies are subjected to “stringent” checks and that identity checkers must complete specialist training, pass quality assurance, audit and supervisory checks, all managed by NHS Digital.
Both NHS Digital and Teleperformance declined to provide a list naming the subcontractors.
Because of course they can.
Needless to say, I had to jump through several of the above hoops when I registered on the NHS app, so my data will be among the troves outsourced to who-knows-where, and I suspect then funnelled back in the UK to build better databases for surveillance and monitoring. All while proclaiming that “we take privacy very seriously” and “stringent checks are made”.
The sad fact, it seems to me, is that governments won’t crack down on data laundering like this because it gives them an easy way to route around the promises they made to their electorate about privacy.