Elizabeth Denham, the Information Commissioner, has published a blog post on tackling Covid-19 through data and the privacy issues arising. Alongside that the agency has also issued a formal Opinion covering Google and Apple’s work on contact tracing technology.
In the post, she highlights that data protection law emerged in the UK out of a concern that the benefits of new technology could be lost if advances were not embraced by the population. Data protection law was seen as a way to support innovation by assuring people that checks were in place to prevent the build-up of intrusive pictures of their lives. She believes that that is still very relevant today in light of contact tracing and use of location data to fight the coronavirus pandemic. The ICO has already issued a statement in which it made the point that data protection laws do not get in the way of innovative use of data in a public health emergency, as long as legal principles (transparency, fairness and proportionality) are applied.
The ICO has issued a series of questions (summarised below) that those using these new technologies should ask themselves to ensure that the privacy implications are properly considered, and that they do not put public trust and social licence at risk.
Have you demonstrated how privacy is built in to the processor technology?
The principles of data protection by design and by default are central to the law. Organisations creating apps will need to take a similar approach. Even if organisations are moving quickly, an initial privacy impact assessment that is reviewed later is a minimum requirement.
Is the planned collection and use of personal data necessary and proportionate?
The ICO supports digital innovation that can address challenges prompted by the public health emergency, but the public need to know that thought is being given to finding the least privacy intrusive solutions. This is especially important when “location data” can mean many things. Some location data gives a more exact location than others. Some projects may be able to rely on data that is pseudonymised or anonymised to reduce the risk of re-identification. Conversations on proportionality must be informed by evidence. Context is important here too, and as a regulator the ICO says it will reflect a society that is, for now, accepting restrictions on liberty to protect public health.
What control do users have over their data and how can they exercise their rights?
App developers should be providing people with clear information on how their information was being used, and their options for preventing processing where applicable. For instance, where contact tracing is being incorporated into a wider package of measures, this additional information would need to be clear.
How much data needs to be gathered and processed centrally?
The starting point for contact tracing should be decentralised systems that look to shift processing on to individuals’ devices where possible. Safeguards and security measures need to accompany this, as well as any transfers of information. When in operation, organisations should consider what the governance and accountability processes are for ongoing monitoring and evaluation of data processing, to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable.
What happens when the processing is no longer necessary?
The ICO says that this is especially crucial: what is appropriate and proportionate in response to an international public health emergency looks quite different when that emergency ends. What consideration has been made to how data collection ends, and what happens to the data gathered?
The ICO has had input into the proposed NHS contact and tracing app, and in particular, it has outlined the high level of transparency and governance this app would need, and a focus on continued review that the data being collected and used is necessary and proportionate. The ICO will provide oversight during the life of the app.
The Opinion is primarily for organisations involved in the project, particularly app developers who want to utilise the API. The ICO confirms in the Opinion that the project appears to broadly align with the principles of data protection by design and default, while being clear that app developers must still take their own measures to ensure they comply with data protection law.