The pandemic has presented many obstacles in response to which we’ve seen the emergence of technology and data based solutions. To varying degrees, these solutions have sparked debate and discussion on balancing the use of data in the delivery of the response to the pandemic against ensuring that the public’s data is protected and that trust is maintained in the use of data.
Outlining the impact of the pandemic and responses to it on privacy law and information rights, the UK’s now former Information Commissioner, Elizabeth Denham, last month published a paper, ‘COVID-19 and Information Rights: Reflections and Lessons Learnt from the Information Commissioner’ (the Paper). The Paper examines two key issues which were raised as a result of the pandemic:
- whether the data protection legislative framework was flexible enough to enable the use of personal data to combat the crisis, whilst also being robust enough to sufficiently protect individual’s rights; and
- whether individuals still maintained trust in public authorities to process their data responsibly.
Responses to the Pandemic: Impact on the Legislative Framework
The Paper outlines the flexibility of the legislative framework to provide the rapid response that was required in the wake of the pandemic. The ICO themselves adopted a ‘risk-based approach’ to overcome the privacy challenges raised by new technologies and mechanisms to combat the virus, meaning no legislative change was required. Individual’s rights were protected through ensuring that privacy concerns were at the forefront of the development of technologies, and the Paper highlights the role of the ICO in the development of the Department for Health and Social Care’s NHS Test and Trace App and the NHS COVID-19 App to ensure that privacy concerns were addressed and individual’s personal data was safeguarded. This included what has now become a supervisory role for the ICO in monitoring the long-term intentions of these technologies and how they will be operated post-COVID.
In the Paper, Elizabeth Denham has also taken the opportunity to emphasise the importance of Data Protection Impact Assessments (DPIA) stressing the central role they played in ensuring developments and new technologies considered their impact in regards to privacy issues and data protection law. With Government’s new Data Strategy ‘Data: A New Direction’ set to remove the requirement for organisations to conduct a DPIA, the Paper stresses the role of these assessments in demonstrating privacy by design, and encourages their continued use in relation to healthcare responses to the pandemic.
Transparency and Accountability: Maintaining Public Trust
As the regulator with responsibility for regulating the Freedom of Information Act, Elizabeth Denham highlighted that the transparency of public authorities during the pandemic had a direct correlation with the public’s trust in organisations’ ability to safeguard their personal data. The Paper notes that for many public organisations, reduced capacity during the pandemic meant they were unable to deal with FOIA requests in the normal manner. As a result, the ICO adopted a proportionate response in relation to their usual enforcement role, recognising authorities were in the midst of a national crisis. However, the Paper also noted that the significant increase in public spending in efforts to combat the pandemic relayed the need for increased transparency in how funds from the public purse are allocated, with challenges to tender processes and awards indicating the important role of public scrutiny. The Paper emphasises the importance of accurate record keeping and proper documentation and highlights that ensuring transparency in future procurements, including ensuring adequate records are kept, will be a key measure on the road to instilling public confidence .
Challenges for recovery
Recognising that recovery from the pandemic will bring new challenges, the Paper notes the importance of the continuing role that data protection must play in:
- vaccination certification and ensuring, amongst other things, that any data exposed for checking and certification is minimal;
- looking closely at the role of third parties involved in the processing of health data. On this, Elizabeth Denham recognises the vital role that third parties have played in the government’s response to the pandemic, but reinforces the need for organisations to have in place robust governance arrangements to ensure appropriate due diligence and oversight of third parties in advance of and during processing; and
- ensuring that innovative health technologies introduced in response to the pandemic do not steadily move towards becoming long-term health surveillance.
Our data protection lawyers and colleagues from around the firm have been heavily involved in advising the government and local authorities on many aspects of the response to the pandemic. The effective yet lawful and proportionate use of data has, for many of those projects, been a key consideration and it is helpful to see much of the experience of our teams set out in the Paper.
The COVID-19 pandemic is the biggest global public health crisis in over a century. But thanks to the transformational power of science, data and technologies it was possible to develop responses at pace. Fuelling the functioning of these technologies was citizens' personal data. - Elizabeth Denham