Collecting data for the Contact Tracing Scheme?

As the UK government works with Google and Apple to launch a new contact tracing app, there are justified concerns about data protection of personal data, particularly sensitive medical data. The government has narrowly escaped a judicial review, threatened by a privacy campaigning organisation, Open Rights Group (ORG), on its failure to conduct a thorough data protection impact assessment (DPIA) on the NHS Test and Trace Programme. This has highlighted the need to stay vigilant about data protection rights, even in the midst of a pandemic.

What is a DPIA?

A DPIA must be conducted prior to data processing that is likely to result in a high risk to individuals. Completing a DPIA is a process to assess the impact of the data processing, identify the risks to individuals and the measures to mitigate those risks.

Contact tracing app

The government’s contact tracing app is designed to support the NHS Test and Trace service and will enable smartphone users to order a test, scan the unique QR codes of venues visited and identify when they have been exposed to people who have COVID-19 or locations with multiple infections.

The advantages are obvious but designing an app like this is immensely complicated and usually takes years in development. There is pressure to have an app soon, which is why the tech giants have been enlisted. The app is built using technology based on a decentralised model where the government does not have access to citizen data. The government states where further information is required, this will be based on obtaining explicit consent from the user.

ORG’s challenge to the government’s plans

The government says it is committed to ensuring the highest standards of data privacy and data security but it recently came under fire when challenged by ORG.

ORG alleged that the government did not comply with Article 35 of GDPR by having a DPIA in place to cover the entirety of the NHS Test and Trace Programme (the programme). In its response, the government was forced to admit weaknesses in its approach to conducting a DPIA.

General Data Protection Regulation (GDPR)

Article 35 of the GDPR introduced a formal requirement for organisations to conduct a DPIA:

‘Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.’

Article 35(7) provides certain minimum requirements for DPIAs such as assessing the risks to the rights and freedoms of data subjects and identifying measures to address those risks.

The government’s position

In the government’s response to ORG, it noted that: nothing in Article 35 is prescriptive about precisely how a DPIA should be conducted; there is no reason why the obligation can’t be met by reference to more than one document; and that the obligation to carry out a DPIA is a procedural one.

The government repeatedly pointed out the pace at which it has been required to work due to the COVID-19 pandemic, and that:

‘it will doubtless be appreciated that the creation, development and adjustment of the Programme has had to occur on an unparalleled scale with unparalleled urgency, to help to meet the most serious public health crisis in a century.’

However, the government accepted that Article 35 was applicable and that prior to the commencement of the programme, a DPIA for all aspects of the programme was not in place. The government noted that it would have been preferable for there to have been a single overarching DPIA in place prior to the commencement of the programme but that the absence of one didn’t mean data protection wasn’t an important part of the programme’s design. Although various aspects of the programme had been subject to a bespoke DPIA, the government acknowledged that an overall DPIA was required and that one is now being finalised and they are working closely with the Information Commissioner’s Office (the ICO). Given the requirement to carry out a DPIA ‘prior to the processing’ this appears to be a tacit admission that the government had broken the law.

Take away points

The ICO provides guidance for businesses who are collecting customer data for the contact tracing scheme. Businesses must be clear, open and honest about why they are collecting data, who they will be sharing it with and how long they will keep it. The take away is don’t get caught out like the government did. Completing a DPIA at the outset of any new process is the way to start.