Shorter Reads

Data protection in the time of coronavirus

2 minute read

Published 17 April 2020

Authors

Share

Key information

  • Services
  • Business
  • Data Protection

Various news outlets are reporting that the UK government is considering using mobile device users’ location data as a means to monitor the spread of coronavirus and to track their endeavours at social distancing.

Polling suggests that the wider population is generally supportive of implementing extraordinary measures to mitigate the COVID-19 crisis. However, the possibility of increased processing of personal data at a testing time when individuals’ freedoms have already been curtailed as part of the response to pandemic does raise privacy concerns. The civil liberties group, Big Brother Watch, has already warned that the Coronavirus Act 2020, which came into force on 25 March, risks weakening safeguards on mass surveillance powers.

It has been suggested that individuals’ health data could be subject to large-scale processing so that nearby persons that those individuals pass (for example, on a public street when taking permitted exercise) are warned that they have been in the proximity of someone suspected to have coronavirus (an app that performed a similar operation was used in South Korea, where the infection rate has fallen dramatically). This would inevitably require the processing of ‘special category’ data, which is subject to extra protections under the GDPR and the Data Protection Act 2018.

In a recent tweet linked to below, Matt Hancock, the Secretary of State for Health, stated that ‘GDPR does not inhibit use of data for coronavirus response’. It is likely Hancock is thinking of Articles 6(d) and 6(e) and Articles 9(2)(c), 9(2)(g), and 9(2)(i), which do allow for processing of such special category data where this is in the public interest, for public health reasons, and/or for protecting individuals’ ‘vital interests’. If the UK government were to rely on these grounds for such large-scale processing, then users’ consent would not be needed for data to be processed in this way.

However, implementing such processing is not without risk: if rolled out too quickly, it would be all too easy for such wide-scale processing of special category data to contravene core principles of the GDPR, such as ensuring data is not kept for longer than it should and being transparent about the way it is processed. Another key tenet of the legislation is that personal data must be kept up to date, and it is not difficult to imagine how this might be a challenge to do for large swathes of the country’s population with regard to each person’s health status. Individuals may not be able to object to this processing if, as is likely, it can be demonstrated that there are legitimate grounds for the processing that override individual rights and freedoms. Furthermore, while the initial use of the data might be for the purposes of protecting individuals’ vital interests, there is a risk that such data might then be subjected to further use and processing for other purposes.

If data can be anonymised before it is processed in the ways discussed, this might be a solution, since truly anonymised personal data falls outside of the GDPR’s scope. The European Data Protection Board has recommended that, in the first instance, public authorities should endeavour to process location data in an anonymous way. However, a recent news report has mentioned the possibility of reversing the anonymisation of such data in order to identify specific virus-carrying individuals. This would be a significant concern for the privacy of those individuals.

Notwithstanding the above, a careful balance will need to be maintained between individual rights and the needs of public protection during this pandemic. It is important to remember that the GDPR and the Data Protection Act 2018 still apply to UK public authorities and to private organisations, and even during this public health crisis, any project involving the processing of personal data is expected to comply with this legislation.

Message us on WhatsApp

Related latest updates
PREV NEXT

Arrow Back to Insights

Shorter Reads

Data protection in the time of coronavirus

Published 17 April 2020

Associated sectors / services

Authors

Various news outlets are reporting that the UK government is considering using mobile device users’ location data as a means to monitor the spread of coronavirus and to track their endeavours at social distancing.

Polling suggests that the wider population is generally supportive of implementing extraordinary measures to mitigate the COVID-19 crisis. However, the possibility of increased processing of personal data at a testing time when individuals’ freedoms have already been curtailed as part of the response to pandemic does raise privacy concerns. The civil liberties group, Big Brother Watch, has already warned that the Coronavirus Act 2020, which came into force on 25 March, risks weakening safeguards on mass surveillance powers.

It has been suggested that individuals’ health data could be subject to large-scale processing so that nearby persons that those individuals pass (for example, on a public street when taking permitted exercise) are warned that they have been in the proximity of someone suspected to have coronavirus (an app that performed a similar operation was used in South Korea, where the infection rate has fallen dramatically). This would inevitably require the processing of ‘special category’ data, which is subject to extra protections under the GDPR and the Data Protection Act 2018.

In a recent tweet linked to below, Matt Hancock, the Secretary of State for Health, stated that ‘GDPR does not inhibit use of data for coronavirus response’. It is likely Hancock is thinking of Articles 6(d) and 6(e) and Articles 9(2)(c), 9(2)(g), and 9(2)(i), which do allow for processing of such special category data where this is in the public interest, for public health reasons, and/or for protecting individuals’ ‘vital interests’. If the UK government were to rely on these grounds for such large-scale processing, then users’ consent would not be needed for data to be processed in this way.

However, implementing such processing is not without risk: if rolled out too quickly, it would be all too easy for such wide-scale processing of special category data to contravene core principles of the GDPR, such as ensuring data is not kept for longer than it should and being transparent about the way it is processed. Another key tenet of the legislation is that personal data must be kept up to date, and it is not difficult to imagine how this might be a challenge to do for large swathes of the country’s population with regard to each person’s health status. Individuals may not be able to object to this processing if, as is likely, it can be demonstrated that there are legitimate grounds for the processing that override individual rights and freedoms. Furthermore, while the initial use of the data might be for the purposes of protecting individuals’ vital interests, there is a risk that such data might then be subjected to further use and processing for other purposes.

If data can be anonymised before it is processed in the ways discussed, this might be a solution, since truly anonymised personal data falls outside of the GDPR’s scope. The European Data Protection Board has recommended that, in the first instance, public authorities should endeavour to process location data in an anonymous way. However, a recent news report has mentioned the possibility of reversing the anonymisation of such data in order to identify specific virus-carrying individuals. This would be a significant concern for the privacy of those individuals.

Notwithstanding the above, a careful balance will need to be maintained between individual rights and the needs of public protection during this pandemic. It is important to remember that the GDPR and the Data Protection Act 2018 still apply to UK public authorities and to private organisations, and even during this public health crisis, any project involving the processing of personal data is expected to comply with this legislation.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.