Information Commissioner's Office
Blog: Data protection considerations and the NHS COVID-19 app
Information Commissioner Elizabeth Denham talks about the regulatory work the ICO has been involved in regarding the England and Wales NHS COVID-19 app.
One of the themes of the ICO’s recent work is the use of tech innovation to respond to the challenges prompted by COVID-19.
As a regulator, we have an important role to play in those projects, both by enabling progress that can help society, and by protecting the people whose data – and trust – such projects rely on.
Our engagement around the England and Wales NHS COVID-19 app being launched this month is a good example of this approach.
We engaged in discussions around data protection and contact tracing apps from the start, publishing a formal Opinion about the joint Google – Apple exposure notification API in the week it was launched, and then developing a detailed ‘expectations document’, which has served as a reference point throughout.
We have been consulted on the app’s development from the start of the project, working with the Department for Health and Social Care (DHSC) to encourage the necessary consideration of people’s data protection rights.
It has been a positive relationship. We were clear from the outset that our role was to ask questions on how transparency, legality and fairness were built into the project.
In response to our questions, DHSC has provided us with iterations of their Data Protection Impact Assessment (DPIA) and plans for the app, and answered our questions. It was especially positive to see our feedback prompt changes, including:
- Improved privacy information, better informing individuals about the implications the app may have on their privacy, the steps taken to mitigate those risks, and how individuals can exercise their information rights.
- Clearer information on automated decision making, including giving individuals the opportunity to speak to a person about the decision, and the reasoning behind the algorithm.
- Further transparency for individuals on how and when personal data is considered anonymous and who it is shared with.
- Greater clarity of data flows and security considerations.
We’re also pleased to see the voluntary nature of the app and how it gives people the option of checking into venues by using a QR code, which mirrors the privacy preserving intent of the Apple and Google API.
As a regulator, our primary responsibility is to ensure compliance with the law, and engaging with organisations at an early stage in their project helps us achieve that.
Working with an organisation does not remove our ability to take formal action if needed. And our regulatory role does not end once an innovation is launched.
Our engagement on the NHS COVID-19 app will continue, and will focus in particular on the data protection implications of any changes to the app’s functionality. We will also be auditing the whole Test and Trace ecosystem, which gives us a further opportunity to ensure that data protection obligations are continuing to be met.
We have also seen positive engagement with the Scottish Government on their Protect Scotland app, and with the Department of Health on the StopCOVID NI app, something I will cover in more detail in a future blog.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Latest News from
Information Commissioner's Office
ICO fines British Airways £20m for data breach affecting more than 400,000 customers19/10/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
Blog: Engagement key in protecting people’s privacy across the UK during the pandemic14/10/2020 12:25:00
Information Commissioner Elizabeth Denham highlights the positive results of the ICO’s engagement with the UK devolved administrations on the use of data in the fight against COVID-19.
ICO takes action against company for sending spam emails selling face masks during pandemic09/10/2020 12:25:00
A company that sent spam emails selling face masks during the pandemic has been fined £40,000 by the ICO and issued with an enforcement notice.
Statement on the outcome of the ICO’s compulsory audit of the Department for Education08/10/2020 09:10:00
The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020.
Blog: Elizabeth Denham on the conclusion of the ICO’s investigation into the use of personal data in political campaigning07/10/2020 09:10:00
There can be few cases that better illustrate how mainstream data protection has become than the ICO’s investigation into the use of personal data in political campaigning, including by the now defunct Cambridge Analytica.
ICO launches consultation on draft Statutory guidance02/10/2020 12:25:00
The Information Commissioner's Office (ICO) has launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK.
ICO fines company flouting the law in order to profiteer from the coronavirus pandemic25/09/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) £60,000 for sending thousands of nuisance marketing texts at the height of the pandemic.
Open letter from UK Information Commissioner Elizabeth Denham to UK organisations24/09/2020 17:08:00
Open letter from UK Information Commissioner Elizabeth Denham to UK organisations.