Last week we highlighted some of the concerns with contact tracing apps and the privacy challenges facing developers. You can read our article here.

Needless to say, the debate is continuing in full force, with fears over privacy and surveillance increasing rather than abating. Clarity and consensus have not yet been reached but amongst all the noise, a few interesting statements have been made by those at the forefront of the discussions.

The Information Commissioner, Elizabeth Denham, has identified (in a similar vein to the concluding remarks in our article last week) the very reason why it is so important to get this right: data privacy is necessary to ensure the benefits of technology are not lost as a result of the public failing to embrace it.

The ICO, together with more than 250 commissioners, government representatives, privacy professionals and key stakeholders have thrashed out the issues in a virtual meeting.

A series of simple questions have been produced for those developing and seeking to rely on new contact tracing technologies:

  • Have you demonstrated how privacy is built in to the processor technology?
  • Is the planned collection and use of personal data necessary and proportionate?
  • What control do users have over their data?
  • How much data needs to be gathered and processed centrally?
  • When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
  • What happens when the processing is no longer necessary?

These are all concepts which are at the centre of data protection regulation. How they will be put into practice is the challenge. The ICO says that it is here to help, and has been able to offer its advice and support to NHSX.

The ICO has also published a formal opinion on Google and Apple’s joint work on contact tracing technology. Broadly, the ICO says the proposals align with the principles of data protection by design and by default but clarification is needed for app users around who is responsible for data processing.

At a European level, Commissioner for Internal Market Thierry Breton has commented as follows: “Contact tracing apps to limit the spread of coronavirus can be useful, especially as part of Member States’ exit strategies. However, strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness. While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements.”

This follows the development of the EU toolbox for the use of mobile applications for contact tracing and warning in response to the coronavirus pandemic.