There’s an often quoted line about knowing the past to understand the present. It came to mind this week, as I looked at the work we had been doing on contact tracing and location data in the context of COVID-19.
Data protection law emerged in the UK out of a concern that the benefits of new technology could be lost if advances were not embraced by the population. Data protection law was seen as a way to support innovation by assuring people that checks were in place to prevent the build-up of intrusive pictures of their lives.
That feels very relevant today, as we look at how contact tracing projects and location tracking could help us combat the pandemic. Such technologies could help us to better understand how society is responding to isolation measures, and alert people who may have been in contact with the virus. It is right that we explore such technologies.
Is it proportionate?
But, as with any new technology, the public need to have confidence that it is being used in a fair and proportionate way. Our statement on coronavirus in March made the point that data protection laws do not get in the way of innovative use of data in a public health emergency – as long as the principles of the law (transparency, fairness and proportionality) are applied. The same approach applies to the use of contact tracing applications.
New technologies and tracking to combat the pandemic is of course an international issue. Last week, the ICO used our position as chair of both the Global Privacy Assembly of privacy regulators and the OECD Working Party on Data Governance and Privacy to bring together more than 250 commissioners, government representatives, privacy professionals and key stakeholders to debate these issues in a virtual meeting.
As a result of our own analysis and this discussion, we have produced a series of simple questions to those using these new technologies might ask themselves, to ensure that the privacy implications are properly considered, and that they do not put public trust and social licence at risk.
1. Have you demonstrated how privacy is built in to the processor technology?
The principles of data protection by design and by default are central to the law, and we were pleased to see Google and Apple making clear how they are aligning with these principles in their joint work on contact tracing technology. Organizations creating apps will need to take a similar approach. We understand the onus is on organizations to move quickly – but even an initial privacy impact assessment that is then developed is a minimum requirement.
2. Is the planned collection and use of personal data necessary and proportionate?
We support digital innovation that can address challenges prompted by this public health emergency, but the public need to know that thought is being given to finding the least privacy intrusive solutions.
This is especially important when ‘location data’ can mean many things. Some location data gives a more exact location than others. Some projects may be able to rely on data that is pseudonymized or anonymized to reduce the risk of reidentification.
Conversations on proportionality must be informed by evidence, and it is great to see NHSX engaging academics and other experts to explore these issues. Context is important here too, and as a regulator we will reflect a society that is, for now, accepting restrictions on liberty to protect public health.
3. What control do users have over their data?
And can they exercise their rights? We would expect app developers to be providing people with clear information on how their information was being used, and their options for preventing processing where applicable. For instance, where contact tracing is being incorporated into a wider package of measures, this additional information would need to be clear.
4. How much data needs to be gathered and processed centrally?
The starting point for contact tracing should be decentralized systems that look to shift processing on to individuals’ devices where possible. Safeguards and security measures need to accompany this, as well as any transfers of information.
5. When in operation, what are the governance and accountability processes in your organization for ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
6. What happens when the processing is no longer necessary?
This is especially crucial: what is appropriate and proportionate in response to an international public health emergency looks quite different when that emergency ends. What consideration has been made to how data collection ends, and what happens to the data gathered? We appreciate that the answer to that may not be in the initial privacy impact assessment, which is why these assessments should be revisited and updated when possible.
The ICO is here to help organizations through this process, while ensuring that data protection laws are not set aside. We can offer guidance and tools to consider the law ahead of a project, as well as providing assurance via audit once a project is up and running.
A good example of where we have been able to do this is in our input to the proposed NHS contact and tracing app. We’ve been pleased to be able to offer our advice and support to NHSX. In particular, we have spoken about the high level of transparency and governance this app would need, and a focus on continued review that the data being collected and used is necessary and proportionate. We are committed to providing oversight during the life of the app.
We have also published a formal Opinion, setting out our current thinking on Google and Apple’s joint work on contact tracing technology. The Opinion is primarily for organizations involved in the project, particularly app developers who want to utilize the API. In it, we confirm the project appears to broadly align with the principles of data protection by design and default, while being clear that app developers must still take their own measures to ensure they comply with data protection law.
My office will continue to reflect these exceptional times, and will offer our help and guidance to projects looking to find innovative ways to help society. Put simply, we will want to see evidence that COVID-19 initiatives do what they intend to do – that they work in practice, that they are proportionate, that people can access their rights in law, and that there is a plan in place to stand down measures when no longer needed.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada. For more information, please visit the ICO.