The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

RE: Privacy implications of measures associated with the global pandemic. 

Thank you for your email of 20 August raising the privacy implications of the government’s response to COVID-19. I welcome the opportunity to provide clarity on the approach I have taken as the UK’s independent data protection regulator.

I can assure you that the priority of my office throughout this period has been to challenge appropriately to ensure that privacy and data protection rights are upheld; and to do so in a way that does not impede unnecessarily the need to safeguard the public’s health. That applies whether it is a national government programme, a local charity’s shielding support scheme for the vulnerable, or any other matter I regulate.

An important aspect of this work had been to provide expert technical advice and support on information rights to organisations working at pace, in the public interest, in these unprecedented times. This includes my Office’s engagement with Public Health England, NHSX and the Department for Health and Social Care in the development of the Test and Trace Programme and other initiatives designed to deal with the public health crisis.

My role as a regulator provides me with both ex-ante and ex-poste responsibilities, which are integral to the effective regulation of both the development and deployment of innovative products and services. In such circumstances regulators need to strike a fine balance between enabling innovation in the public interest and protecting the public from the potential for unnecessary privacy intrusion which poorly informed innovation may cause.

Both the GDPR and the Data Protection Act 2018 provide these functions to the ICO and they operate in a complementary manner. Early advice will help organisations address risk and get data protection and privacy protections right, whilst regulatory follow up on compliance concerns should they remain means data controllers are held accountable under data protection law.

It is in this spirit that we have provided advice on the data protection implications of a number of initiatives by the UK Government, the NHS, local councils and private sector organisations to respond to the public health crisis.

This provision of advice includes the Test and Trace Programme and contact tracing app. We have provided advice and challenge to PHE and DHSC, on their privacy notices and DPIAs and we have investigated a number of data breaches and made recommendations. Some of these investigations are still progressing.

We also provided expert guidance and challenge as early as possible in the development of the contact tracing app to make sure those developing the apps were clear about the standards set out in law and the standards we, as the regulator, expect. I issued an opinion and expectations document in April recommending an approach to app developers for privacy compliance.

As is their right the developers chose a different option to that advised in my expectations document. As I have explained, it is not for me to mandate a particular course of action by a data controller absent a clear indication that there is harm being caused but to evaluate the outcome of the measures they have taken. In the event, as has been reported, a different approach is now being adopted to the app, and I welcome this.

We have also provided challenge and feedback on data protection impact assessments (DPIAs) associated with the app. I was pleased that much of my feedback was taken on board and as I explained to the Joint Committee on Human Rights, I will continue to supervise arrangements to ensure that data is safeguarded in the use and then decommissioning of any app based service. I have observed a willingness by those charged with the scheme to improve their arrangements as they develop them and take on board recommendations my teams have made.

I am therefore reserving my ability to take regulatory action where I consider relevant standards have not been met. I have also been clear that I will address some of the earlier issues with deployment of the service once the arrangements can be evaluated as a whole. To this purpose we will audit the arrangements to ensure that data protection obligations are met throughout the Test and Trace ecosystem. I welcome the fact that Test and Trace has agreed to this consensual audit.

I agree with you that the public must have confidence their data is being treated safely and legally which is why we have taken the approach we have done as outlined above. Our suite of regulatory tools can both pull and push in the right direction to ensure privacy is protected, whilst not holding up significant measures to protect public health.

Yours sincerely,

Elizabeth Denham, Information Commissioner