Information Commissioner's Office
Blog: Protecting privacy during a pandemic: our work on the UK’s Covid apps
The ICO’s work is often in the headlines, and our recent enforcement action against TikTok for allowing over a million UK children to use its platform without parental consent brought international media attention.
In practice, the majority of our work to protect people’s privacy rights has a far lower profile. Making sure people are considering data protection at an early stage, and providing the advice and support to ensure privacy protections are built into new services is less glamorous, but very effective.
Our work with the Department of Health and Social Care and Welsh Government around the NHS Covid app is a prime example. The app was officially decommissioned on Thursday, after a fall in the number of users across England and Wales. It marks the end of a journey that began in the pandemic, and saw as many as 30 million people download the app.
The ICO offered advice and support to DHSC from the start, recognising the vital role that data played in navigating the pandemic and our responsibility, as a regulator, to protect people’s privacy during the development of new technology. Given the unprecedented circumstances, our teams worked hard to ensure that data protection law wasn’t a barrier to this innovation and privacy considerations were built into the lifecycle of the app – from design to decommission.
We were the first data protection authority to share a formal Opinion on the joint Google-Apple contact tracing API, just days after it was first published in April 2020. This was shortly followed by our data protection expectations for app development that served as a touchpoint throughout the pandemic. As the app’s functionality evolved, we continued to engage with DHSC and Welsh health bodies to ensure privacy and transparency were considered every step of the way.
Decommissioning was a key part of our expectations for the NHS Covid app. We made it clear to the Department of Health and Social Care that for people to have confidence in the app, they must be able to trust that their data would be deleted once the app was no longer required. We’re pleased that our work, started in March 2020, has helped to protect millions of people across the UK.
The same approach brought similar benefits across the UK. In Scotland, we offered advice and support on the development of the Protect Scotland app and in Northern Ireland, we provided advice and support on the development of the StopCovidNI app. Both proximity tracing apps followed the design principles set out in our expectations document and in line with these expectations, the Scottish app was decommissioned in April 2022 and the NI app was decommissioned in June 2022.
It’s an approach we continue to take today, working closely with organisations to support them to get data protection right from the start when creating new products and services. Our enforcement work may get the headlines, but it is the influence we can have over crucial moments behind the scenes that allows us to make the biggest difference.
Latest News from
Information Commissioner's Office
Data breaches put domestic abuse victims’ lives at risk, UK Information Commissioner warns28/09/2023 13:15:00
The UK Information Commissioner has today called on organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.
“This needs to be dealt with.” - ICO issues Enforcement Notice to City of York Council over FOI backlog21/09/2023 16:25:00
The Information Commissioner’s Office (ICO) has issued an Enforcement Notice to City of York Council to clear its backlog of 261 unanswered Freedom of Information requests
ICO issues half a million pounds in new fines as fight to tackle illegal nuisance calls continues21/09/2023 15:25:00
The Information Commissioner’s Office (ICO) has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.
Share information to protect children and young people at risk, urges UK Information Commissioner15/09/2023 10:15:00
Organisations will not get in trouble if they share information to protect children and young people at risk of serious harm, the UK Information Commissioner’s Office (ICO) has promised.
Former social services council employee fined for unlawfully accessing sensitive personal data14/09/2023 09:15:00
A former family intervention officer at St Helens Borough Council has been sentenced for unlawfully accessing social services records.
UK Information Commissioner and NCSC CEO sign Memorandum of Understanding13/09/2023 13:10:00
The UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC), Lindy Cameron, yesterday signed a joint Memorandum of Understanding (MoU) that sets out how both organisations will cooperate.
ICO to review period and fertility tracking apps as poll shows more than half of women are concerned over data security07/09/2023 16:20:00
The Information Commissioner’s Office (ICO) is reviewing period and fertility apps as new figures show more than half of women have concerns over data security
ICO publishes new guidance on sending bulk communications by email31/08/2023 16:20:00
The Information Commissioner’s Office (ICO) yesterday issued a warning to organisations to use alternatives to the blind carbon copy (BCC) email function when sending emails containing sensitive personal information, following a catalogue of business blunders.
Joint statement on data scraping and data protection25/08/2023 09:10:00
The Information Commissioner’s Office and eleven other data protection and privacy authorities from around the world have today published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.