Covid-19 Data Protection update

Here is a round-up of recent activity from data protection bodies, governments and other organisations in the EU and UK in relation to data protection issues in the COVID-19 pandemic.

ICO statement on its regulatory approach during the pandemic

The ICO issued a statement on 15 April 2020 setting out how its regulatory priorities and resources will be affected and focussed during the pandemic.  Taking as its starting point the ICO’s role to act in the public interest as a pragmatic and proportionate regulator focusing on areas likely to cause the greatest public harm, the statement acknowledges the pressures and limitations currently affecting organisations, commits to a flexible, empathetic and pragmatic approach and to support organisations – particularly those providing frontline healthcare and other vital services, and explains how it will apply proportionality to its regulatory investigations and enforcement action.  The ICO intends to prioritise its services to provide additional guidance for organisations about complying with the law during the crisis, keep this guidance under review and issue updates as necessary.

https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf

This statement follows the ICO’s earlier statement back in March – see our previous blog post on this.

UK Information Commissioner Blog: Combatting COVID-19 through data: some considerations for privacy

The Information Commissioner, Elizabeth Denham, posted a blog on 17 April 2020 discussing privacy and data protection issues arising from contract tracing and location tracking apps being used to tackle the pandemic.

The blog acknowledges that these technologies should be explored due to their potential benefits, but the public need to have confidence that they are being used in a fair and transparent way. 

It poses a series of questions that people designing these new technologies should ask themselves to ensure that privacy implications are properly considered and do not put public trust and social licence at risk.  These include considering whether privacy is ‘built-in’ to the technology, whether data use is proportionate and necessary, what control users have over their data, how centralised the processing is (decentralised systems being preferred) and what governance and accountability processes are in place (e.g. to consider what to do with the data when the pandemic is over).

The blog highlights the ICO’s input into the proposed NHS contact and tracing app and planned oversite during the life of the app, as well as the ICO’s formal Opinion on Google and Apple’s joint work on contact tracing technology (see more on this below). 

Denham summarises by saying that the ICO will continue to offer help and guidance to projects looking to find innovative ways to help society and will want to see evidence that COVID-19 initiatives do what they intend to do – that they work in practice, are proportionate, that people can access their legal rights, and that there is a plan in place to stand down measures when no longer needed.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/combatting-covid-19-through-data-some-considerations-for-privacy/

UK ICO issues formal opinion on Apple and Google contact tracing technology

The ICO issued an opinion on 17 April 2020 on the Apple and Google joint initiative on COVID-19 contract tracing technology – the “Contact Tracing Framework (CTF)” to enable the use of Bluetooth technology to help governments and public health authorities (PHAs) reduce the spread of the virus.

The opinion is primarily aimed at organisations involved in the CTF’s development, as well as organisations developing apps that may use the CTF and other stakeholders that wish to understand the ICO’s position on the CTF, although it will be of interest to anyone involved in other contact tracing initiatives.

Apple and Google are not themselves building a contract tracing app, but are developing a solution – the CTF – including APIs and operating system-level technology, to enable interoperability between Android and iOS devices using apps from PHAs and facilitate the development of contact tracing apps on both platforms.  These ‘official’ apps will be available for download via their respective app stores.  The CTF will enable third parties such as PHAs to create contact tracing apps that exchange information via Bluetooth Low Energy between devices and is intended to support the development of apps that protect their users’ identity.

The ICO seems persuaded that the CTF proposals “appear aligned with the principles of data protection by design and by default”, based on the technologies and methods described to them by the companies. 

However, the ICO recognises that when apps are developed using the CTF they may also collect other data and use other techniques beyond those envisaged by the CTF, and that the organisations designing those apps will be the controllers of the data collected using them and be responsible for ensuring that processing by their apps is fair, lawful and transparent.

The opinion only relates to ‘Phase 1’ of the CTF work.  ‘Phase 2’ could involve additional functionality, and the ICO intends to remain engaged in the work as it evolves and may issue additional/updated opinions.

https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf

European Commission launches common EU Toolbox for mobile applications to support contact tracing in the EU’s fight against COVID-19

The European Commission has produced a “Toolbox”, which sets out a common EU approach for:

  1. the use of mobile applications aimed at limiting the spread of COVID-19 through contact tracing and warning to enable more effective and targeted self-isolation and social distancing measures; and
  2. the use of anonymized and aggregated population mobility data in order to model and predict the evolution of COVID-19, monitor effectiveness of social distancing and confinement measures and inform a coordinated strategy for exiting the COVID-19 crisis.

The Toolbox is aimed at EU member state governments.  It is not clear whether this includes the UK during the current Brexit transition period. 

The Toolbox sets out practical measures to assist member states in making use of these potentially useful technologies whilst complying with EU law on medical devices, the right to privacy, the protection of personal data and other rights and freedoms contained in the EU Charter of Fundamental Rights, and forms part of a common coordinated approach to support the gradual lifting of confinement measures. 

The Toolbox sets out the essential requirements for these apps, including:

  • Full compliance with EU data protection and privacy rules.
  • Implementation in close coordination with, and approved by, public health authorities.
  • Voluntary installation and dismantling as soon as no longer needed.
  • Use of the latest privacy-enhancing technological solutions (likely to be based on Bluetooth proximity technology so as not to enable tracking of people's locations).
  • Use of anonymised data (alerting people who have been in proximity for a certain duration to an infected person to get tested or self-isolate without revealing the identity of the people infected).
  • Interoperability across the EU (to protect people crossing borders).
  • Anchored in accepted epidemiological guidance and reflect best practice on cybersecurity and accessibility.
  • Secure and effective.

The Toolbox confirms that public health authorities may use anonymised/aggregated data derived from contact tracing and sets out how member states should prevent proliferation of unlawful or harmful apps and develop a set of KPIs to assess/reflect the effectiveness of the apps.

The Toolbox is available here as a PDF: https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf

It can also be accessed here (click on the ‘eHealth Network’ drop-down box): https://ec.europa.eu/health/ehealth/key_documents_en#anchor1

The European Commission press release announcing the Toolbox is here: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_670

This Toolbox is the result of a European Commission Recommendation on 8 April 2020 for the creation of a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data.

PDF of the Recommendation: https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf

Link to Recommendation on Eur-Lex site: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1587153139410&uri=CELEX:32020H0518

European Commission press release concerning the Recommendation: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_626

European Commission publishes guidance on apps that support the fight against COVID-19

The European Commission has also produced guidance on the development of new apps that support the fight against coronavirus in relation to data protection, to accompany the EU common Toolbox.  The guidance is aimed at those involved in developing apps, whereas the Toolbox is aimed at member state governments.

As these apps will involve the processing of data concerning health, a central requirement of the guidance is that national health authorities (or entities carrying out tasks in the public interests in the field of health) should be the controllers.

The guidance focuses on voluntary apps with the functionalities of providing accurate information for users on the coronavirus pandemic; questionnaires for self-assessment and guidance for individuals (symptom checker functionality); alerts for people who have been in proximity of an infected person to get tested or to self-isolate (contact tracing and warning functionality); and a communication forum between patients in self-isolation and doctors including where further diagnosis and treatment advice is provided (telemedicine).

The guidance sets out the main prerequisites for the development of apps, which include:

  • the identity of the controller (which should be a national health authority or similar)
  • user control and choice
  • legal basis (which should be the legal obligation of the health authority under Article 6(1)(c) and 9(2)(i) GDPR + consent for any cookies not necessary for app functionality)
  • data minimisation (specifically geolocation data should not be collected)
  • limiting disclosure/access to data (with ‘decentralised’ processing being favoured)
  • purpose limitation (if data will also be used for research or statistical purposes, this should be included in the original list of purposes communicated to users)
  • storage limitation (citing quite specific storage and deletion periods and criteria)
  • security (e.g. activation of Bluetooth should be possible without having to activate other location services in order to exclude tracking by third parties; using temporary user IDs that change regularly rather than storing device IDs)
  • accuracy of data (the Commission suggests that location data based on mobile phone networks is unlikely to be sufficiently accurate and advises relying on more precise technologies such as Bluetooth)
  • requirement for a DPIA and supervisory authority consultation

Relevant to IP considerations is the Commission’s recommendation that the source code of the apps should be made public and available for review (in the context of security).

Whilst it will generally be the responsibility of national health authorities – as the controllers – to ensure that their apps comply with the guidance, this guidance will be useful for the app designers/developers engaged by the authorities, who will be required to build the requirements in this guidance into the technology and software of the apps.

The guidance is available via this link: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1587141168991&uri=CELEX:52020XC0417(08)

The European Commission press release announcing the guidance can be found here: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_669

UK Govt announces new health data platform to combat Covid-19

The UK Government has commissioned NHS England, NHS Improvement and NHSX to create a health data platform bringing multiple data sources into a single, secure location, to provide national organisations responsible for coordinating the national response with secure, reliable and timely data to enable them to make informed, effective decisions.

The data will come from across NHS, social care and partner organisations – e.g. 111 online/call centre data from NHS Digital and C-19 test result data from Public Health England.  It looks like NHS England and NHS Improvement will be the controllers of the platform.  On confidentiality/data protection, the Government says it will follow the same rules for information governance that underpin its day-to-day work and that the platform will be subject to strict controls to meet the requirements of data protection law and GDPR principles – e.g. data will be destroyed or returned to NHS England and NHS Improvement once the pandemic has ended.  The Government is working with a number of private sector providers on the platform: Microsoft for its Azure cloud platform, Palantir Technologies UK for the front end software, AWS for infrastructure, Faculty for AI based dashboards, models and simulations and Google for G Suite data collection tools.

https://healthtech.blog.gov.uk/2020/03/28/the-power-of-data-in-a-pandemic/

EDPB issues guidelines on processing health data for scientific research purposes in the pandemic

The European Data Protection Board issued guidelines on 21 April 2020 addressing data protection issues arising from use of data concerning health for scientific research purposes in relation to the COVID-19 pandemic, such as establishing an appropriate legal basis, applying the data processing principles and complying with the conditions for international transfers of research data.

The guidance is a bit academic and focussed on the text of the GDPR, with few practical examples.  However, one point of note is that the guidelines acknowledges that private entities pursuing the important ‘public interest’ of fighting COVID-19, as well as public authorities, may rely on the ‘public interest’ derogation for international transfers under Article 49(1)(d) GDPR, such as a university research institute cooperating on the development of a vaccine as part of an international partnership (although if the transfers become repetitive over a long period, a safeguard under Article 46 GDPR would be required in place of the derogation).

The guidance reinforces the need for organisations to refer to their own countries’ laws pursuant to Article 9(2)(i) and (j) GDPR (addressing processing health data for public interest reasons and research purposes) and Article 89(2) (addressing derogations from data subject rights in relation to research purposes).  It also highlights that due to the processing risks in the context of the COVID-19 outbreak, high emphasis must be placed on security considerations under Articles 5(1)(f), 32(1) and 89(1) GDPR.

The guidance can be viewed here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf

ICO blog guidance on privacy pitfalls of video conferencing

Ian Hulme, the ICO’s Director of Assurance, gives advice about using video conferencing technology.  The advice is aimed at staff who use the technology and those that make decisions about its use.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/video-conferencing-what-to-watch-out-for/

Zoom clarifies use of end-to-end encryption on conferencing platform

Continuing the theme of security in video conferencing technology, Zoom issued some clarification regarding how it encrypts content that moves across its network in response to confusion and questions amongst users about Zoom’s ‘end-to-end’ encryption practices.

https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/?mc_cid=7e13a60b37&mc_eid=5da685dc8c

ICO blog guidance on avoiding scams during the Covid-19 pandemic

The ICO posted some guidance on 31 March 2020 aimed at helping individuals avoid scams, in light of growing evidence of a spike in email and phone scammers as criminals look to seize on people’s vulnerabilities during the pandemic.

https://ico.org.uk/your-data-matters/your-data-matters-blog/

ICO statement on use of mobile phone tracking data to help during the coronavirus crisis

The ICO issued a short statement, confirming that where location data is properly anonymised and aggregated, it does not fall under data protection law.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/statement-in-response-to-the-use-of-mobile-phone-tracking-data-to-help-during-the-coronavirus-crisis/

ICO advice on COVID-19 focussed community groups and data protection

The ICO has produced blog guidance aimed at helping community groups handling sensitive personal data to understand and comply with data protection law.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/community-groups-and-covid-19/

ICO advice on working from home and data protection

The ICO has produced several guidance blogs on data protection and security issues in relation to working from home, including security checklists for employers, BYOD considerations and tips for working from home securely.

https://ico.org.uk/for-organisations/working-from-home/