Blog: Data protection considerations and the NHS COVID-19 app
18 September 2020
Information Commissioner Elizabeth Denham talks about the regulatory work the ICO has been involved with the England and Wales NHS COVID-19 app.
One of the themes of the ICO’s recent work is the use of tech innovation to respond to the challenges prompted by COVID-19.
As a regulator, we have an important role to play in those projects, both by enabling progress that can help society, and by protecting the people whose data – and trust – such projects rely on.
Our engagement around the England and Wales NHS COVID-19 app being launched this month is a good example of this approach.
We engaged in discussions around data protection and contact tracing apps from the start, publishing a formal Opinion about the joint Google – Apple exposure notification API in the week it was launched, and then developing a detailed ‘expectations document’, which has served as a reference point throughout.
We have been consulted on the app’s development from the start of the project, working with the Department for Health and Social Care (DHSC) to encourage the necessary consideration of people’s data protection rights.
It has been a positive relationship. We were clear from the outset that our role was to ask questions on how transparency, legality and fairness were built into the project.
In response to our questions, DHSC has provided us with iterations of their Data Protection Impact Assessment (DPIA) and plans for the app, and answered our questions. It was especially positive to see our feedback prompt changes, including:
- Improved privacy information, better informing individuals about the implications the app may have on their privacy, the steps taken to mitigate those risks, and how individuals can exercise their information rights.
- Clearer information on automated decision making, including giving individuals the opportunity to speak to a person about the decision, and the reasoning behind the algorithm.
- Further transparency for individuals on how and when personal data is considered anonymous and who it is shared with.
- Greater clarity of data flows and security considerations.
We’re also pleased to see the voluntary nature of the app and how it gives people the option of checking into venues by using a QR code, which mirrors the privacy preserving intent of the Apple and Google API.
As a regulator, our primary responsibility is to ensure compliance with the law, and engaging with organisations at an early stage in their project helps us achieve that.
We’ve seen this approach work particularly well in our support of innovation, whether it’s around this app, in our Sandbox programme, our AI guidance or our work with SMEs.
Working with an organisation does not remove our ability to take formal action if needed. And our regulatory role does not end once an innovation is launched.
Our engagement on the NHS COVID-19 app will continue, and will focus in particular on the data protection implications of any changes to the app’s functionality. We will also be auditing the whole Test and Trace ecosystem, which gives us a further opportunity to ensure that data protection obligations are continuing to be met.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada. |