Last week, Open Rights Group (ORG) found out that the Information Rights tribunal ceased their general stay. This comes in conjunction with the Information Commissioner (ICO) allegedly expressing concerns over the Test and Trace scheme, and their handling of mandatory data protection checks.
Whether these are preludes to a return to effective data protection enforcement is yet to be seen. The Government’s recent disclosure of their NHS Covid-19 contractual deals with private tech firms has exposed new issues, piling up on the already long list of concerns and contraventions we have covered in the past. On the other hand, the ICO official stance has been feeble, to say the least, and we yet have to see any meaningful action to compel the Government to amend these manifest violations of privacy laws.
Given these developments, we encourage the ICO to regain control of the situation, and effectively protect our rights to data protection.
The ICO should call out failures to protect our personal information
So far, the Government has failed to properly mitigate risks in the development of the NHSX Contact Tracing App, as well as to produce a mandatory risk assessment for the Test and Trace scheme. Furthermore, an outsourcing firm involved in the hiring of contact tracers’ staff did not refer a data breach to the ICO, despite the law compelling them to do so within 72 hours after having become aware of it.
We believe the ICO should call out these stark contraventions of data protection rules. This would represent a first, meaningful step toward keeping the Government and its partners in check, and ensure that next moves are planned and implemented with the care and competence the situation demands.
The ICO should investigate into violations of data protection rules
The Data Protection Act provides to the ICO a wide array of tools to sanction data protection rules. These include the power to issue written inquiries, conduct compulsory audits, impose fines, and demand changes in the way personal data are stored and used. Given the sensibility of contact tracing data, we cannot think of a more convincing case to resort to these regulatory powers.
On the other hand, the violations we mentioned above are but the facts which kept emerging over the past month, indicating that we may very well be scraping the surface.
Therefore, we expect the ICO to rely on their statutory powers to assess the real scale of the violations we have witnessed so far, and to put and end to the malpractices which are currently taking place.
The ICO should set red lines for Digital Contact Tracing
Contact tracing involves an unprecedented level of intrusiveness on our personal life. Furthermore, the same nature of personal data related to Covid-19 infections or other health information makes initiatives in this field extremely sensitive.
On the other hand, the Government has rejected parliamentary attempts to enshrine legal safeguards in legislation, and is planning to intensify its efforts to establish an immunity passport scheme, whose risks are self explanatory.
In this regard, we believe the ICO should proactively assert their voice, and spell out the data protection requirements which must be implemented in digital contact tracing systems. This would involve the release of appropriate guidances and codes of practice.
We have already filed a complaint to the ICO denouncing Test and Trace legal breaches, and we will continue to put pressure on the Government to establis legal and practical safeguards in these systems.