Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)

24 April 2020
Dear Secretary of State,
Key principles for an ethical and effective CV19 contact tracing app
The COVID-19 pandemic is a public health emergency on a scale that we have never experienced before.
Our NHS and the many thousands of critical workers who have kept the UK running have been a source
of great pride during these challenging times.
There are no easy solutions in managing this outbreak. Approximately 90% of the population are currently
living in lockdown. While this approach appears to have been effective in achieving the immediate and
ultimate goal of flattening the curve and saving lives, the impact on personal freedoms and mental health
is considerable, and the economic consequences are severe. This makes the current situation unsustainable
in the long-term. To emerge safely from lockdown with the support and confidence of the public, difficult
practical and policy decisions will have to be taken and important value judgments made. This will require
a careful combination of principles and pragmatism.
The establishment of the Ethics Advisory Board (EAB) signals a welcome commitment to the development
and deployment of the CV19 app being open to independent scrutiny and constructive challenge. Since
being established we have met weekly and in this letter we set out a series of principles to be adopted in
order to ensure ethical issues posed by the development and rollout of the CV19 app are captured and
addressed. We recognise that the app is one tool in a wider strategy of testing, tracking and tracing; indeed,
an over reliance on a single approach would be high risk. However, the EAB’s focus is on the CV19 app
although we have reflected on this wider context.
It is our view that there is an ethical imperative to explore the use of technology which could be deployed
to support efforts to stop the spread of COVID-19. But we also have a responsibility to address the ethical
risks posed by the mass deployment of any new technologies. It is also the case that new approaches are
not always the best and the fundamental effectiveness of the app is of overriding importance. Our advice,
which provides our conditional support for the CV19 App, is provided on the information we have
available to us at this point in time. The EAB reserves the right to provide different advice in the future.
At the heart of any sustainable removal of current measures will be the achievement of intelligent and riskbased physical distancing designed to reduce the R value and limit the pressure on the NHS. Such a
response requires a combination of contact tracing, testing, and quarantining of those who are shown to be
infected with COVID-19. The high proportion of infections originating in people who are presymptomatic
means that standard approaches to contact tracing remain important but are too slow to be effective on
their own. A contact tracing app has the potential to form part of the solution to this problem but, as with
all innovative measures, this involves a degree of uncertainty.
A trustworthy approach is crucial to the success of a CV19 app. The government’s perceived success or
failure in this endeavour will have implications for future uses of data driven technology by government
and public services for many years to come. Indeed, this is the time for the government to demonstrate its
ability to use technology for the public good, in an ethical way, and to build strong foundations of trust.

1

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)
Ongoing review of the app by the EAB will be helpful in maintaining public trust by continuing to provide
essential scrutiny and constructive challenge.
In this letter we set out six principles that must be upheld to ensure the CV19 contact tracing app is ethical.
Given that securing and maintaining public trust is paramount, these principles are based on a set of key
components of trustworthy data use: value, security, accountability, transparency and control (see
Appendix). The advice we give in this letter seeks to strengthen and protect these important principles. It
is based on work originally developed by the Centre for Data Ethics and Innovation, and informed by
engagement with expert stakeholders and the public, a review of briefing papers and presentations provided
by NHSx, as well as reports produced by non-government organisations and academics.
Six principles to ensure that the CV19 contact tracing app is ethical:
1. Value: There must be good reason to believe that that the app will provide sufficient net-value
back to the citizen or society as a whole so as to justify its introduction and any adverse
consequences for individuals.
○ The value proposition of the app to users should be clearly articulated. If the value
proposition changes this should be communicated, and the process by which this
happens should be transparent.
○ To encourage citizens to download an app which does not offer a strong value
proposition would be misleading and could damage trust, which could in turn reduce the
effectiveness of the app and of future technological solutions.
○ The app should undergo an Equalities and Health Inequalities Impact Assessment to
ensure that it does not have disproportionate negative impacts on certain groups.
○ To avoid introducing unacceptable levels of inequity, access to the app should not give
exclusive access to services or freedoms. While it is appropriate that the app offers
benefits which increase its value proposition and therefore incentivise use, alternatives
should be provided for those who cannot or do not wish to use the app.
2. Impact: There must be good reason to believe the app will be an effective tool in controlling the
outbreak of COVID-19.
○ The app should be technically effective. It would be unethical to encourage citizens to
download an app which is technically flawed.
○ The app should be sufficiently attractive to users to make it reasonable to expect that it
will be downloaded by enough people to achieve public health benefits.
3. Security and privacy: Data sharing and storage should be secure. The data collected should be
minimised and protected as much as possible, so users’ privacy is preserved.
○ Any use of data which compromises a user’s anonymity should be done only for the
protection of public health and in accordance with the law. Necessary intrusions into
privacy should be proportionate to this legitimate aim. Where possible, consent should
be requested.
○ A Data Protection Impact Assessment and a privacy assessment should be carried out to
ensure appropriate compliance with privacy and security standards.
4. Accountability: There must be a reliable and understandable decision-making process in place
to manage the app - with clear democratic accountability, particularly with regards to introducing
new functionality, data collection or use cases.
2

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)
○

There should be ongoing evaluation of the app to monitor both its effectiveness and any
risks that arise from its use. Decision points about continued use of the app also need to
be made clear.

5. Transparency: Details on what data is gathered and why, as well as the app’s code and
underlying algorithms must be available publicly to enable scrutiny and give people the ability to
object to decisions.
○ All communications made via the app, and about the app, should be transparent and
proportionate. App alerts should state clearly what information they are based on.
6. Control: Users should be able to see what kinds of data are held about them so that they can
understand how it is impacting on decisions.
○ Downloading the app should be voluntary. The app should be built with a minimum
data-sharing level with a series of clear opt-ins for further data sharing and use. Users
should be able to delete the app and their data at any point.
○ Additional functionality would require clear communications and opt-ins for existing
users.
For reasons of trust and transparency it is important that the value proposition of the app is well understood
and clearly articulated at all stages of its deployment. This value proposition may evolve if circumstances
change, particularly if the app becomes a key route to obtaining immunity certificates or is ever used as a
means of accessing certain services or freedoms.
When it comes to the effectiveness of the app, the Board recognises the benefit of using self-reported
symptoms alongside virologically confirmed cases to trigger proximity cascades. Self-reporting enables
users to inform contacts relatively quickly that they may be at risk so that they can take the appropriate
action. This is a cautionary approach and while it may cause disruption to people’s lives, this inconvenience
is a direct trade-off with the significant potential to intervene early and limit the spread of the virus that
self-reporting offers.
Participants in focus groups with members of the public have, however, expressed concerns about the
reliability of an app which is based solely on self-reporting. EAB members have voiced similar concerns
and worried that false positive alerts could undermine trust in the app and cause undue stress to users. The
impact of false negatives was an additional concern, particularly that users may develop a false sense of
security. This possibility underlines the importance of clarity and effective communication. But we would
also caution against proceeding with the app without widespread access to virological testing. It is our view
that introducing widespread testing and incorporating this into the app as soon as reasonably possible
would significantly increase both confidence in the app and its efficacy, as users will be more likely to
follow its advice.
We also urge a consideration of the extent to which the app could introduce or exacerbate inequities. Ofcom
data suggests that 21% of UK adults do not use a smartphone. While the community benefits of a contact
tracing app should still extend to this group, an increase in manual contact tracing is a crucial additional
measure which will enhance the effectiveness of the public health approach and build public confidence.
If the app becomes a tool for accessing currently restricted services or freedoms, such as permission to
return to work, to use public transport, or to enjoy other freedoms, this would drastically alter the value
proposition of the app and potentially introduce new levels of inequity which would need to be identified
and addressed.
3

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)

We are aware that work to develop the app is progressing at pace and a first rollout is planned imminently.
It is vital that the speed at which the app is, understandably, being developed does not undermine the
importance of scrutiny or the need for transparency. Similarly, it is important that in the desire to maximise
take-up of the app, commitments are not made to citizens which are then reversed at a later date. This
would profoundly damage public trust.
The EAB has identified a number of more specific considerations designed to ensure the initial rollout is
as ethical as possible. These are set out directly in the appendix attached to this letter and are framed around
the principles identified above.
To build and maintain public trust, the app must continue to be developed in a way that is sensitive to
ethical issues. The EAB has an important role to play by providing independent constructive challenge. As
a group and as individuals, we are pleased to be able to fulfil this role and offer our continued support in
doing so.
Your sincerely,

Prof Sir Jonathan Montgomery
Chair
Ethics Advisory Board (CV19 App)

4

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)

Appendix 1
Considerations for initial roll out of the CV19 contact tracing app
Value/ Impact
1. Before the app is launched in a small area, there must be good reason to believe that the app will
be effective in bringing health benefits to individuals and the wider community, and in
controlling the Covid-19 outbreak.
2. The value of the app should be transparently communicated to users based on a full
understanding of the app’s anticipated uses, functions, and effectiveness.
3. Whilst the EAB recognises that the app will not be used by all sections of society due to differing
levels of access to technology across the population, in order to ensure equity, the app should
only be deployed as part of a plan in which it can be explained how the benefits extend to
everyone.
4. The app must be part of a wider package of measures so that those without the app are not
afforded less protection from the virus.
Security and Privacy
1. The app should be designed in line with the principles of data minimisation and privacy
protection, noting that users may give specific consent to voluntarily provide additional data.
2. Security is essential for trust in technology and if there is a reasonable doubt relating to the app‘s
security, it should not be deployed. Commitments to the app’s security should be published.
3. If any security breaches occur, these should be communicated to users immediately. Any
security breach should be followed by a comprehensive assessment of the cause and measures
should be put in place to reduce the risk of any further breaches.
Accountability
1. There should be clear lines of accountability for every major decision made about the app.
2. The governance mechanisms underpinning the decision-making process about the deployment of
the app should be openly communicated to the Ethics Advisory Board who play an essential
oversight role on behalf of the public.
3. There should be a risk register which is shared with the Ethics Advisory Board. The risk register
should include clear thresholds that are monitored and could trigger the suspension or
withdrawal of the app.
4. There should be robust ongoing monitoring and evaluation of the app’s effectiveness and impact,
and the outputs of which should be reflected in decisions made about future of app (as well as
improvements to its functionality).
5. The initial terms and conditions of the app should be made available to the EAB for review prior
to launch.
Transparency
1. All information about the app should be communicated to users in clear and plain language.
2. Alerts should be delivered with transparent and proportionate messaging in line with Public
Health England guidance.
3. Any changes to the app’s terms and conditions should require additional consents with the option
to reject the new terms without losing access to the app.
4. NHSx should be as transparent as possible about the app, including regularly publishing
information that is in the public interest, such as data on app take-up.
5. The app’s code and algorithm should be publicly available at the earliest opportunity.
5

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)

Control
1. Downloading the app should be voluntary
2. Users should be able to delete the app and their data at any point.

6

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)

Appendix 2
Public Trust Matrix for use in considering ethical issues regarding the Contact Tracing app

Component of trustworthy
data use
Specific Issue Main concerns
Value (and impact): providing
value back to the citizen or
society as a whole. There needs
to be specific consideration of Effectiveness
the potential risks an individual
or group might incur from
downloading and using the app,
and there needs to be an
inclusive way of weighing these Equity &
benefits and risks.
Fairness
Security: Data sharing should
be done competently. This
means data is secure, and it is
minimised and protected as
much as possible, so users feel
sure that their individual
privacy is protected from
misuse.

How will a COVID-19 status be input into the app: self-diagnosis or
virological testing? There is a risk that the quality of the data from selftesting will not be reliable or valid enough for this to work effectively.

Will this be equal access to all in the UK? Will there be any blackspots?
Will there be any risk of discriminating against certain groups who may
be less able/likely to download this app? Will there be a different
process for NHS workers and key workers?

Prevent Misuse

Are there appropriate measures in place to prevent misuse? How do we
reduce the scope for vigilante type action or for misuse by other
agencies whose employees are using the app & receive an alert? Has
there been thought through a range of 'bad actor' scenarios to stress test
the types of misuse/abuse/breach that could arise? How will
problems/errors be rectified/redressed?

Deletion

Will there be the right to request deletion of the data associated with the
app and its history? What does this mean in practice? Will there be the
opportunity at the end of the epidemic for people to opt out of
subsequent data use?

Accountability: There must be
Accountability structures should include arrangements for inclusive
a reliable and understandable
Decision
making
decision making involving members of the public.
decision-making process, with
sufficient public engagement
If individual subjects do not give explicit consent, what mechanisms are
and input.
in place to ensure broader societal consent? How will consent be
designed so that it's understandable? Current consent practise focuses
on individual consent. What is being planned with the app is not only
consent to potentially collect information about one’s own location, but
one’s proximity to others too. After the initial emergency response, this
will need collective consent mechanisms and a critical approach to how
the design and content design of these consent moments are put
Consent
together.
Transparency: Details on who,
what, and why are available
publicly to enable scrutiny and
give people the ability to object
to decisions.

How can we ensure that we don’t over promise to the public and then
risk losing public trust later on when things are not what they seemed?
An example of this is in the claims over anonymity: promises of
anonymity can rarely be met. Is it better to be transparent on what data
is being collected, and have really excellent communications and
consent that explains this to people clearly?
Is there a clear commitment that the data will only be used for the
purpose stated? Is there acknowledgement that if the operation of the
app can change over time and in the future, this is properly
communicated and the process by which this happens transparent?
Is there an effective communication strategy that outlines the trade-offs
Communication to relevant parties, and sets out when and why data will be shared?

7

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)
Control: People can see what
data is held about them, how it
is impacting decisions, and have
as much say over how it is used Compulsion/
as possible.
voluntariness

Is usage voluntary? If requirements are imposed for people to have the
app (e.g. to return to work, to use public transport), are these reasonable
and non-discriminatory beyond the health status?

*The matrix is based on work originally undertaken by the Centre for Data Ethics and Innovation

8

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)
Appendix 3
Membership and Terms of Reference of the Ethics Advisory Board
Membership
●
●
●

●
●
●

●

●
●

Professor Sir Jonathan Montgomery (Chair), Professor of Health Care Law, University College London,
Chair Oxford University Hospital Trust; Chair of the DHSC Moral and Ethical Advisory Group
Roger Taylor (Vice chair), Chair of Centre for Data Ethics and Innovation, Chair of OFQUAL
Professor Luciano Floridi, CDEI Board member and Professor of Philosophy and Ethics of Information at
the University of Oxford; Director of the Digital Ethics Lab of the Oxford Internet Institute; Chair of the
Data Ethics Group of the Alan Turing Institute.
Nicola Perrin, Independent expert, former Head of Policy at Wellcome and Head of Understanding Patient
Data
Dame Glenys Stacey, CDEI Board member and Chair of the Professional Standards Authority
National Data Guardian representatives (on rotation):
○ Dr Alan Hassey, Retired GP and member of the NDG
○ Professor James Wilson, Professor of Philosophy University College London and member of the
NDG
Lay members: (from NHSx National Data Collaborative):
○ John Marsh
○ Richard Stephens
Gus Hosein, Executive Director, Privacy International
Professor Lilian Edwards, Prof of Law, Innovation & Society at Newcastle University1

Terms of Reference
1. Purpose
1.1 The purpose of the Ethics Advisory Board (EAB) is to ensure that the development of the NHS
COVID APP helps control the Covid-19 epidemic and return people to normal life more rapidly whilst
operating in line with ethical requirements, and is transparent and open to public scrutiny. In doing this, it
will provide assurance to the public that they can trust that their privacy and other interests are
appropriately protected if they use the APP to participate in the project.

2. Functions
2.1 Functions for the board are:
a)

identify, respond to, define and examine relevant ethical issues as set out in to inform the successful
and ethically appropriate achievement of the aims of the APP PROJECT in the public interest,
including consideration of the interests of citizens;

b) develop an ethics framework to serve as a reference point for the deliberations and work
commissioned by the EAB and the APP OVERSIGHT BOARD;
c)

develop a model of good ethical practice for the successful completion and delivery of the APP
PROJECT in the public interest;

d) keep the APP OVERSIGHT BOARD informed about key developments in the public and
professional discussion of relevant ethical aspects and policy developments in trustworthy data use;
e) provide timely ethical review and advice on policies and other documents under development by
the APP PROJECT.

1

Became a member of the EAB after the letter was written to the Secretary of State.
9

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)
act as a responsive ethics resource, providing timely advice, guidance and recommendations on
ethical issues, as requested by the APP OVERSIGHT BOARD;
provide timely ethical review and advice on policies and other documents under development by
the APP PROJECT.

3. Reporting responsibilities
3.1 The EAB will provide regular and formal advice to the APP OVERSIGHT BOARD who will be free to
act on it at their discretion. Advice may be both on questions set specifically by the APP OVERSIGHT
BOARD as well as issues which the EAB has proactively identified in line with what is set out in [3.1].
This may include verbal advice as well as tabled papers.
3.2 Draft Minutes of EAB meetings shall be circulated to all members of the EAB and, once agreed, to the
APP OVERSIGHT BOARD
3.3 There is an expectation that formal advice should be made public either through minutes or other
appropriate means to increase transparency and accountability.

4. Membership
4.1 Members will be selected based on their personal expertise, and to contribute to the combined balance
of expertise on the EAB in relation to the needs of the APP PROJECT.
4.2 The credibility and impact of the EAB depends on the independence and objectivity of its advice and
on the confidence of others in its integrity. It is important therefore that in their Board activities members
abide by the highest standards of behaviour as set out in the Seven Principles of Public Life.2
●

The EAB Membership should include representation of the [Participant Panel] and/or a member
of the public .

4.3 During its initial stage of operation, the EAB can [through unanimous agreement] invite further members
to join should it identify any significant gaps of expertise.

5. Duties
5.1 The EAB shall, in conducting all of its duties in accordance with these Terms of Reference, act in a way
that it considers in good faith, would be most likely to promote the ethically appropriate achievement of the
aims of the APP PROJECT. In doing so, the EAB must have regard (among other matters) to:
(a)

the likely consequences of any advice in the long term and its impact on the broader governance
of data use;

(b) the interests of ‘participants’ who have downloaded the app and are sharing data, as well as the
general public given the publicly funded nature and society-wide relevance of the APP
PROJECT;
(c)

the interests of the broader community of stakeholders including employees, scientists and
clinicians, interest groups, medical charities, civil society groups, privacy advocates and other
potential collaborators;

(d) the impact of the NHSx operations on the community and the environment; and
(e)

the desirability of the NHSx maintaining a reputation for high standards of conduct and
promotion of trustworthy data use.

5.2 The Chair should ascertain, at the beginning of each meeting, the existence of any conflicts of interest
and minute them accordingly.
2

The 7 Principles of Public Life, Committee on Standards in Public Life
10

 Professor Sir Jonathan Montgomery
Chair - Ethics Advisory Board (CV19 App)

6. Initial stage of operation
6.1 The EAB shall meet formally at least once a month and at such other times as the Chair shall require.
Meetings should be organised so that attendance by members is maximised.
6.2 In its first six week of operation the expectation is that the EAB will need to be agile and flexible and
that Board Members may be called to meetings as determined by development phases of the APP PROJECT.
Advise and input may also be sought over correspondence but effort should be made to arrange for Board
meetings.
6.3 The EAB will continue to operate as set out within these Terms of References during the first phase of
development and deployment of the APP PROJECT. Following this, there is an expectation that the Terms
of Reference and membership shall be reviewed to ensure that it continues to be constituted in the most
appropriate way.

7. Secretariat and role of Centre for Data Ethics and Innovation
7.1 During the initial stage of operation the secretariat shall be provided by the Centre for Data Ethics and
Innovation. This may include research and engagement resources to support the Probity Workstream and to
provide the EAB with effective and informed advice.
7.2 Board Members who hold membership on both the CDEI Board and the EAB are expected to treat these
memberships as separate. However, there will be an assumption that those Board Members will advise and
update the CDEI Board at regular intervals and may also seek input from the CDEI Board to be shared with
the EAB.

11