18.The lockdown itself constitutes an interference in the human rights of individuals and is currently justified by the need to protect human life. It is appropriate that the Government is exploring options to save lives and to ease the restrictions caused by lockdown. The app’s contribution to reducing the severity of the lockdown and to helping to prevent the spread of Covid-19 must be demonstrated and improved at regular intervals for the collection of the data to be reasonable. This is the basis on which any discussion around the privacy concerns must proceed: if the digital contact tracing system does not work, or only has a minimal effect, the collection of huge amounts of data is indefensible.
19.The amount of data the contact tracing app requires on the private and family lives of individuals is not justifiable if the app does not contribute meaningfully to the easing of lockdown restrictions and the combatting of Covid-19. Digital contact tracing will not be as effective if uptake is low. Uptake will be lower without user confidence in privacy protections—therefore robust privacy protections are themselves key to effectiveness of the app and the digital contact tracing system. Interoperability with other countries’ systems will also be relevant to efficacy, not least to ensure that there is interoperability of systems in use on the island of Ireland. The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.
20.The Heath Secretary has informed us that he has appointed an independent Ethics Advisory Board.20 That is welcome but insufficient. There needs to be established by law and with sufficient powers a Digital Contact Tracing Human Rights Commissioner who would not only exercise oversight with the appropriate powers but also be able to deal with any complaints from the public and report to Parliament.
21.The Government must not roll out the contact tracing app nationally unless the following protections are in place:
a)Primary legislation: Government assurances about intended privacy protections for any data collected do not carry any weight unless the Government is prepared to enshrine these protections in legislation. A Bill would provide necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of. It would also increase confidence in the app, increase uptake, and improve efficacy.
b)Oversight: There should be an independent body, such as a Digital Contact Tracing Human Rights Commissioner, to oversee the use, effectiveness and privacy protections of the app and any data associated with digital contact tracing. The independent monitoring body should have, at a minimum, similar enforcement powers to the Information Commissioner, to oversee how data collected is being used and protected. To guard against mission creep it cannot be left to the Information Commissioner’s Office to be the only body with powers of oversight or sanction; such an Office is not designed to monitor the significant rights-based implications that app based surveillance raises and, in addition, the Information Commissioner has been involved in the development of the app. Matthew Gould in his evidence to the Committee stated “However, we do not yet know exactly how it will work; we do not know all the consequences. There will be unintended consequences and there will certainly be some things that we have to evolve.” In light of this, the speed of piloting and intended roll out, it is imperative that an independent oversight body be established immediately. It must also be able to receive individual complaints. The monitoring body must be given sufficient resources to carry out their functions.
c)Child Safeguarding: Particular safeguards should be applied to children under 18. Children’s use must be monitored in relation to data collection and use of data. Misuse must be identified and rectified promptly. Interviews with children and parents (where appropriate) must take place in order to support children and act on any concerns.
d)Efficacy review: The Health Secretary must undertake a review every 21 days on the digital contact tracing system. Such reviews must cover efficacy, as well as the safety of the data and how privacy is being protected in the use of any such data. The Health Secretary must report to Parliament every 21 days on the findings of such reviews.
e)Transparency: The Government and health authorities must be transparent about how the app, and data collected through it, is being used. The Data Protection Impact Assessment must be made public and updated as digital contact tracing progresses.
f)Time-limited: Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency.
22.Once the app’s utility is demonstrated, we recommend that the data and other human rights protections should be placed on a legislative footing. This would further improve efficacy by increasing uptake.
23.The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation. Such a Bill must include the following provisions and protections:
a)Set out the clear and limited purposes of this app for data processing: Personal data may only be collected and processed for the purpose of preventing the spread of Covid-19. No personal data collected through the digital contact tracing app may be accessed for any other purpose. No personal data collected through the digital contact tracing app may be shared with third parties. There should be prohibition against data use for certain purposes such as legal proceedings, to support or deny benefits, data sharing with employers.
b)Unless an individual has notified that they have Covid-19 (or have suspected Covid-19) and has chosen to upload their data, all personal data should only be held locally on the user’s device and must be automatically deleted entirely from the app every 28 days.
c)Any personal data held centrally (e.g. following a diagnosis of Covid-19 or suspected Covid-19) must be subject to the highest security protections and standards.
d)Limit who has access to data and for what purpose: Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed.
e)Data held centrally may not be used for data reconstruction (i.e. where different pieces of anonymised personal data are combined to reconstruct information about an individual through piecing together multiple data sets).
f)Data held centrally must be deleted where a user so requests and may not be held for longer than is required and in any event for no longer than 2 years. All data collected must be deleted once the public health emergency is over.
g)The Minister must undertake a review and report to Parliament on the efficacy and privacy protections relating to digital contact tracing every 21 days.
h)Powers for a Digital Contact Tracing Human Rights Commissioner to ensure that authority has sufficient powers, staff and resources to oversee the roll-out of digital contact tracing, to look into individual complaints, to make binding recommendations on data protection, collection, storage, safety and use.
24.Furthermore the introduction of this app raises issues that go beyond data protection and privacy. Other human rights which are protected under the Human Rights Act 1998 (HRA) and ECHR are engaged, for example, the right to non-discrimination in employment and immigration matters. The declaration of compatibility with the HRA which would be required to accompany legislation would put the framework for the app on a firmer rights-based footing and ensure protection of all the rights engaged..21
25.There might be concerns that legislating could entail delays which would be undesirable since a key objective is to safely ease the lockdown as soon as possible. But legislation enshrining assurances in law is perfectly viable in time for the national roll out in the middle of this month. Parliament was able quickly to agree to give the Government sweeping new powers in the Coronavirus Act. If Parliament is able to swiftly enact legislation to confer powers it can do so to circumscribe them. The parties were able to agree that legislation and it should be possible to agree legislation to describe and circumscribe the contact tracing app expeditiously. The law could provide flexibility for any future changes which become necessary by enshrining the principles in primary legislation and the particulars in secondary legislation, which are easier to change but which still have the force of law.
20 Response from Rt Hon Matt Hancock MP, Secretary of State for Health and Social Care, regarding the Government’s plans to use digital technologies, dated 4 May 2020
21 Oral evidence taken on 4 May, HC (2019–21) 265, Q14, 4 May 2020. We also note that Australia has adopted legislation to address human rights concerns with their contact tracing app (The Guardian, Government releases draft legislation for Covidsafe tracing app to allay privacy concerns, 4 May 2020.) Dr Orla Lynskey evidence], and Q25 [Elizabeth Denham OBE]
Published: 7 May 2020