A new report exposes failures by the Information Commissioner’s Office (ICO) in protecting the public privacy and data rights during the Covid-19 pandemic.
The report analyses use of data in three key Covid-19 health programmes NHS Test and Trace, NHS Contract Tracing App and the NHS Datastore. It compares the ICO’s response to that of other European data protection authorities and UK regulators; analyses the future impact of new changes to data protection law; and sets out policy recommendations for the government and ICO.
Public health programmes were deployed unlawfully, and underpinned by negligent data governance. All three programmes failed to comply in full with the requirement in Article 35 GDPR for DPIAs. This was most notable for Test and Trace and for the Datastore, where no DPIA was entered into with providers prior to entering in agreements with them. Had they complied with the law, some of the subsequent data breaches could have been prevented. These included confidential contact tracing data being leaked on social media channels by Test and Trace personnel, being abused to harass women, or being lost due to their storage on an excel sheet.
The ICO acted as a “critical friend” and did not enforce the law effectively, which led to these programmes falling short of important safeguards and data protection requirements. This exposed the public to significant risks and harms as outlined above. This approach contributed to the delay to the rollout of the Covid-19 app after the