Information Commissioner's Office
Blog: Data Protection law can help create public trust and confidence around COVID-status certification schemes
Blog posted by: Elizabeth Denham, Information Commissioner, 26 March 2021.
From contact tracing apps to temperature checks at airports, from businesses recording customers’ details to organisations sharing health data to help the vulnerable, it is clear that the responsible use of personal data has been vital in responding to the COVID-19 pandemic.
Public trust has been at the heart of each of these projects, and I am pleased that the ICO has been able to help organisations earn that trust by providing pragmatic advice to ensure data is used in a way that people feel is fair.
Now, as the UK Government reviews the prospective role of domestic COVID-status certification schemes, the ICO continues to advise on privacy considerations that can contribute to schemes earning public trust from the outset.
These are early days – and that’s exactly the right time for us to be involved. We’ve engaged with UK Government about how data protection law and regulation need not be a barrier to the responsible use of personal data in any certification scheme, and are engaging with the devolved administrations.
We understand the potential benefits of people being able to demonstrate their COVID-status, including safeguarding public health and reopening parts of the economy.
The success of any future COVID-status schemes will rely on people trusting them and having confidence in how their personal data will be used. It is crucial that, from the start, thought is given to how data can be used fairly and how this can be explained clearly to people using a scheme.
Any organisation processing personal data as part of a COVID-status certification scheme would be responsible for using that personal data appropriately and for complying with data protection law. While these schemes may be new, the principles are the same.
That means high standards of governance and accountability to ensure compliance with data protection principles, including transparency, fairness, data minimisation and storage limitation, and utilising a ‘data protection by design’ approach as part of their planning.
If the UK plans to develop digital infrastructure as part of any COVID-status certification schemes, then they must be secure, fit for purpose and compliant with the law. Much has been learned over the last year in this area and I have recommended that good practice from other digital solutions developed to address COVID-19 be taken into account.
One lesson is that people are sometimes concerned that information collected for one purpose might then be used for other purposes, something I discussed with MPs in January.
The UK data protection regime can offer people reassurance here. The law expects organisations to be clear why they are using data, and my office can act if there are concerns of ‘scope creep’.
The UK administrations also have a leadership role to play in instilling public trust and confidence. There is a risk that without a strong line from leaders on what is and is not acceptable, a range of organisations will offer COVID-status certification services, likely with varying levels of maturity in terms of good governance and protections for personal data. The failing of one initiative may undermine public trust in all such schemes.
Over the last year we have sought to support organisations as they strive to protect information about people and comply with data protection rules through the pandemic. Our Coronavirus Hub contains all our guidance in this area and is updated as new issues emerge so that our support remains relevant and practical.
There is still work to do before UK Government reaches any conclusions following its review and data protection will remain a key consideration. My office welcomes the engagement to date, and looks forward to continuing to be consulted on COVID-status certification schemes across the UK.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Latest News from
Information Commissioner's Office
ICO approves the first UK eIDAS Regulations Qualified Trust Service Provider28/07/2021 09:10:00
The Information Commissioner’s Office has approved GlobalSign as the UK’s first qualified trust service provider [QTSP] under the UK eIDAS Regulations.
ICO's blog on its information rights work26/07/2021 16:20:00
Colleagues from the ICO’s FOI Directorate share their experiences and involvement in raising awareness of our regulation of access to information legislation.
Blog: New toolkit launched to help organisations using AI to process personal data understand the associated risks and ways of complying with data protection law21/07/2021 09:20:00
Alister Pearson, the ICO’s Senior Policy Officer – Technology introduces a new beta version of our AI and Data Protection Risk Toolkit. He explains how it can assure organisations that use AI to process personal data that they are processing it in line with the law and how organisations can help the ICO shape a final version.
Blog: What’s next for the Accountability Framework?19/07/2021 09:10:00
Blog posted by: Anulka Clarke, 15 July 2021.
Blog: Reflecting on the past five years of fundraising and data protection regulation16/07/2021 14:43:00
Lord Toby Harris, Chair of the Fundraising Regulator & Elizabeth Denham CBE, the UK Information Commissioner, reflect on the past five years of fundraising and data protection regulation in the charity sector.
Statement on ICO investigation into Department of Health and Social Care CCTV footage16/07/2021 09:10:00
The ICO can confirm it is investigating an alleged data breach.
ICO fines transgender charity for data protection breach exposing sensitive personal data09/07/2021 09:25:00
The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.
ICO publishes annual tracking research07/07/2021 15:15:00
77% of people say protecting their personal information is essential, research commissioned by the ICO has found.