Information Commissioner's Office
Blog: Data protection considerations and the NHS COVID-19 app
Information Commissioner Elizabeth Denham talks about the regulatory work the ICO has been involved in regarding the England and Wales NHS COVID-19 app.
One of the themes of the ICO’s recent work is the use of tech innovation to respond to the challenges prompted by COVID-19.
As a regulator, we have an important role to play in those projects, both by enabling progress that can help society, and by protecting the people whose data – and trust – such projects rely on.
Our engagement around the England and Wales NHS COVID-19 app being launched this month is a good example of this approach.
We engaged in discussions around data protection and contact tracing apps from the start, publishing a formal Opinion about the joint Google – Apple exposure notification API in the week it was launched, and then developing a detailed ‘expectations document’, which has served as a reference point throughout.
We have been consulted on the app’s development from the start of the project, working with the Department for Health and Social Care (DHSC) to encourage the necessary consideration of people’s data protection rights.
It has been a positive relationship. We were clear from the outset that our role was to ask questions on how transparency, legality and fairness were built into the project.
In response to our questions, DHSC has provided us with iterations of their Data Protection Impact Assessment (DPIA) and plans for the app, and answered our questions. It was especially positive to see our feedback prompt changes, including:
- Improved privacy information, better informing individuals about the implications the app may have on their privacy, the steps taken to mitigate those risks, and how individuals can exercise their information rights.
- Clearer information on automated decision making, including giving individuals the opportunity to speak to a person about the decision, and the reasoning behind the algorithm.
- Further transparency for individuals on how and when personal data is considered anonymous and who it is shared with.
- Greater clarity of data flows and security considerations.
We’re also pleased to see the voluntary nature of the app and how it gives people the option of checking into venues by using a QR code, which mirrors the privacy preserving intent of the Apple and Google API.
As a regulator, our primary responsibility is to ensure compliance with the law, and engaging with organisations at an early stage in their project helps us achieve that.
Working with an organisation does not remove our ability to take formal action if needed. And our regulatory role does not end once an innovation is launched.
Our engagement on the NHS COVID-19 app will continue, and will focus in particular on the data protection implications of any changes to the app’s functionality. We will also be auditing the whole Test and Trace ecosystem, which gives us a further opportunity to ensure that data protection obligations are continuing to be met.
We have also seen positive engagement with the Scottish Government on their Protect Scotland app, and with the Department of Health on the StopCOVID NI app, something I will cover in more detail in a future blog.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Latest News from
Information Commissioner's Office
Five things we learned from DPPC 202107/05/2021 15:20:00
The ICO’s Data Protection Practitioners’ Conference 2021 was held this week, bringing together more than 3,000 data protection professionals from across the country.
Data Protection Practitioners’ Conference 202105/05/2021 14:15:00
Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference on 5 May 2021
Digital Regulatory Cooperation Forum’s response to DCMS on the future of the digital regulatory landscape05/05/2021 12:05:00
The Digital Regulatory Cooperation Forum (DRCF) has submitted its response to the Department of Digital, Culture, Media and Sport (DCMS) on the future of the digital regulatory landscape and how to achieve coherence in regulatory approaches across digital services.
Blog: Free advisory check-ups help small businesses make the best use of their data30/04/2021 16:25:00
A blog from Syed Ali, Lead Engagement and Regulatory Assurance Officer
Data protection is an enabler for trust and confidence in the implementation of digital identity systems23/04/2021 12:25:00
Blog posted by: Steve Wood, Deputy Commissioner (Executive Director, Regulatory Strategy), 22 April 2021.
How the ICO Innovation Hub is enabling innovation and economic growth through cross-regulatory collaboration21/04/2021 14:20:00
The COVID-19 pandemic has changed work for so many of us around the world; forcing innovation and new ways of working. And that’s just as true for regulators – we’ve had to adapt to develop new ways to support organisations.
Tribute to His Royal Highness The Duke of Edinburgh12/04/2021 14:10:00
Statement from Elizabeth Denham, Information Commissioner.
Blog: Data Protection law can help create public trust and confidence around COVID-status certification schemes29/03/2021 12:25:00
Blog posted by: Elizabeth Denham, Information Commissioner, 26 March 2021.
Secretary of State for the Department for Digital, Culture Media & Sport and the Information Commissioner sign Memorandum of Understanding on data adequacy22/03/2021 14:33:00
Having left the EU, the Secretary of State for the Department for Digital, Culture, Media and Sport now holds powers to make independent UK data adequacy arrangements with new partners around the world, making it easier for organisations to send data internationally.