Data protection and COVID-19
Over the course of this year, we’ve reported on various stories and examples of video surveillance solutions being used to contain or detect the coronavirus, otherwise known as COVID-19. Thermal imaging, facial recognition software, and AI have all been utilised in a number of countries to support the effort of stopping the spread, but the question remains – what path will this lead us down in the future? Is it opening the door to greater use of surveillance, and will it result in privacy being compromised in the UK?
Here, Toni Vitale, Partner and Head of Data Protection at JMW Solicitors, offers his thoughts on the challenges that lay ahead with regards to privacy laws and the protection of data.
The UK government recently approached O2, Vodafone, EE and Three about using phone signals as part of its efforts to tackle the coronavirus outbreak. The data is anonymised so its use is in compliance with UK and EU data privacy laws, but it may still be an infringement of the human right to privacy under the Human Rights Act.
Now, there is talk of a NHS app that can track your recent proximity to anyone who tests positive for Covid-19.
Data regulators such as the UK’s Information Commissioners Office (ICO) are aware of the struggles organisations and their governments are facing in the current Covid-19 pandemic. The ICO has issued a statement to say that it does not have the power to change statutory deadlines, such as 30 days to respond to a subject access request. However, it will be sympathetic when considering enforcement action as it recognises that most companies’ focus has been elsewhere, so it will take into account the compelling public interest in the current health emergency.
Whilst public health interests can provide legitimate reasons to increase monitoring of individuals, mass surveillance by governments must be approached with caution. The latest developments in tracking technologies using mobile phone apps and data could have serious implications for privacy and other human rights long after the coronavirus pandemic has subsided.
Take up of the NHS app will need to reach 60% of the population for it to be effective. But there is a danger that if the public accept this intrusive use of personal data for health reasons in an emergency, they could they become desensitised to the UK government using the data for crime prevention, monitoring large crowds at events, or even replacing the national census (due in 2021).
The European Union is likely to take a cautious approach to such monitoring, but in other parts of the world tracking is already taking place. In China, the Government reportedly worked with a number of tech giants to keep track of the population.
The European Data protection Board (which advises the EU Commission on data privacy) advocates a more cautious approach in Europe. The EDPB advises that public authorities “should first seek to process location data in an anonymous way… which could enable generating reports on the concentration of mobile devices at a certain location”.
Whilst it recognises that EEA Member States are entitled to introduce legislative measures to safeguard public security, it points out that if this involves non-anonymised location data then the legislative measures must also put in place adequate scrutiny and safeguards. These could include providing the right to a judicial remedy. It emphasises that governments should always use the least intrusive solutions possible, taking into account the specific purposes of the legislation. Blanket surveillance is unlikely to be compliant with EU laws, even when it is for the public good.
These are extraordinary times, but human rights law still applies. Indeed, the human rights framework is designed to ensure that different rights can be carefully balanced to protect individuals and wider societies. Governments cannot simply disregard rights such as privacy and freedom of expression in the name of tackling a public health crisis. On the contrary, protecting human rights also promotes public health. Now more than ever, governments must rigorously ensure that any restrictions to these rights is in line with long-established human rights safeguards.
Human Rights Watch (an international non-governmental organisation) has issued an eight-point declaration to balance individual rights and the need for governments to protect public health:
- Surveillance measures adopted to address the pandemic must be lawful, necessary and proportionate.
- New monitoring and surveillance powers must be time-bound, and continue only for as long as necessary.
- Data must only be used for the purposes of responding to the pandemic.
- Governments must protect people’s data, including ensuring sufficient security.
- Governments must address the risk that the tools will facilitate discrimination and other rights abuses against racial minorities, people living in poverty, and other marginalized populations.
- If Governments partner with private sector entities, the agreements must comply with the law, and sufficient information to allow public oversight must be publicly disclosed. Such agreements should be in writing, with sunset clauses.
- Increased surveillance should not fall under the domain of security or intelligence agencies and must be subject to effective oversight by appropriate independent bodies.
- Data should be shared with relevant stakeholders, in particular experts in the public health sector and marginalised population groups.
The declaration has been signed by many international organisations to urge governments to show leadership in tackling the pandemic in a way that is strictly in line with human rights.
About the author
Toni Vitale has assisted clients on a wide range of privacy and cyber security issues, including regulatory and compliance investigations, data monetisation and data breaches. He has advised on GDPR, e-privacy, PECR, net neutrality, RIPA, reputation management and cyber security. He has consulted with CEOP, the Home Office and NTAC, and has also given evidence to a Joint Committee of Parliament on the Data Communications Bill.
Get your summer fix of fire and security content
18–22 May 2020
Hear from experts and industry leaders in Digital Week, a new five-day programme of online content brought to you by IFSEC and FIREX International and their co-located shows. Attend webinars, discover case studies and download whitepapers and stay connected with the industry from the comfort of your own home.