The ICO and the government were challenged for privacy protection failure. Is the government test and trace policy effective or just a way to breach the privacy of the civilians? Find out more here.
The European Data Protection Board (EDPB) and Organisation for Economic Co-operation and Development (OECD) had already called out to cease and reverse the exceptional use of data once the pandemic is over. Although, it was suspected that once such technology was created it will be used as a way to track and monitor civilians in unwanted ways.
However, the state, as well as watchdogs such as the ICO, agreed that they would cease the use of the technology once the threat of the pandemic had been eliminated.
The systems introduced by the government in its effort to monitor and track cases as well as the spread of the virus include digital check-in systems, wristband trackers and mobile applications. This resulted in a huge influx of data, most of which can be deemed as sensitive.
According to ICO’s report, the data has to be collected once all checks are in place including a Data Protection Impact Assessment (DPIA), as required under the General Data Protection Regulation (GDPR). The report also stated:
‘The ICO considers that a Data Protection Impact Assessment (DPIA) is required for contact tracing solutions prior to implementation, given that the processing is likely to result in a high risk to the rights and freedoms of individuals.’
However, now it has come to light that the DPIA was carried out inefficiently
The data collected under special case scenarios are also limited in terms of its age and usage. Hence, keeping up with the law, the EDPB and the OCED have called on governments to cease and reverse the exceptional use of data once the pandemic is over.
Despite the seemingly concerned ICO, the letter has raised concerns on the impact of the data collection and use. It is signed by MPs from Labour, the Liberal Democrats, the Scottish National Party and the Green Party, and calls on Elizabeth Denham, the Information Commissioner, to address concerns that the test and trace applications have been operating unlawfully.
Furthermore, last month the government accepted it did not carry out a data protection impact assessment (DPIA) for test and trace before beginning.
It is no surprise that a DPIA is necessary under the General Data Protection Regulation (GDPR) for projects deemed high risk. COVID-19 and the battle against it is one of those case scenarios which are high risk and yet detrimental to the public’s well-being if not undertaken with the correct measures in place. The DPIA is needed to assess personal privacy and data security and is intended to identify and minimise the data protection risks of a project.
The ICO stated at the time that the DPIA oversight came to light that it was working with the government as a “critical friend” to provide guidance and advice, and to ensure people’s personal data is protected. This indicates a major shift from the watchdog towards the state.
The letter from the MPs has called on the ICO to do more to enforce data protection standards and maintain public confidence and its public-mandated responsibility. The letter states:
“Parliamentarians and the public need to be able to rely on the regulator”.
“However, the government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism
“Regarding test and trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.”
To this, an ICO spokesperson said: “Our regulatory obligations include advising as well as supervising the work of data controllers. Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK government, the NHS, local councils and private sector organisations to respond to the public health crisis.
“We will continue to uphold people’s information rights, and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.”
A DPIA is essential for any business processing or collecting sensitive information that is involved in high-risk projects. Before you begin your new project, fulfil the legal requirements and save yourself the litigation trouble. You can access a free version of the Seers innovative DPIA solution here.