Data protection in the COVID-19 pandemic

– a step backwards?

By Charles Calveley

Published 2020-05-15

Over the past few years, in particular, companies have become increasingly aware of the importance of data protection and compliance. Now, however, as we navigate through the global pandemic that is COVID-19, data protection has been catapulted into the spotlight…..or has it? Well, it should be and here’s why:

In a bid to manage and control the spread of this pandemic, governments, companies and organisations, not least of course the NHS, are now collecting and processing information of an increasingly personal and sensitive nature about individuals. Intimate details about a person’s health, in particular, are being harvested and passed on: whether the individual suffers from Multiple Sclerosis, for example, or perhaps Parkinson’s or even a Sexually Transmitted Disease.

It is not the intention of this brief article to venture into the minefield that is General Data Protection Regulation (GDPR) and data protection law in general. Suffice it to say, the information being gathered constitutes personal data, and where it relates to individuals’ health, it also falls within the sub-category of “special categories of personal data”. Such data are subject to strict compliance rules in the UK and the EU, not to mention the US and elsewhere.

The UK governing body for data protection, the Information Commissioner’s Office (ICO) has published a document setting out its regulatory approach during the pandemic. In its own words:

“It details how we will use the flexibility of UK law to reflect these exceptional times, while continuing to recognise the importance of privacy protections and the value of transparency”.

Perhaps the word “flexibility” here says it all – food for thought, not to mention concern.

Apparently “During the pandemic and beyond, the ICO’s work will be focused on three key areas:

  1. Protecting public interests
  2. Enabling organisations to engage in responsible data sharing
  3. Monitoring intrusive and disruptive technology”

Further, the ICO identifies six priorities:

  1. Protecting our vulnerable citizens
  2. Supporting economic growth and digitalisation, including for small businesses
  3. Shaping proportionate surveillance
  4. Enabling good practice in AI
  5. Enabling transparency
  6. Maintaining business continuity: developing new ways of working in readiness for recovery”

Note the inclusion of the words “during the pandemic and beyond (author’s italics). So, albeit no doubt with the best of intentions, is this pandemic perceived as a passport for the authorities to harvest ever more information on us, perhaps amounting to a so-called “snooper’s charter”. What exactly is “proportionate surveillance”?

All over the world, there have been tens of millions of COVID-19 tests, but so far only a few countries have produced clear legislation or guidelines on how those data are going to be used in the future! What is more, officials are using mobile communication data, location data, web browsing data and social network data to “enhance” their anti COVID-19 efforts, none of which is with explicit consent from the subjects.

Inevitably some of the data will be sold without our knowledge. This could be a case of “caveat vendor”.

Finally, consider this: the biggest concern is what we don’t know.

High Skills Partners’ articles are provided for your interest and do not constitute advice, legal or otherwise. We aim to be informative, thought-provoking and to reflect our experience, whilst striving for accuracy and correctness. © 2020 High Skills Partners Limited