The UK’s information rights body must act to ensure the government stops “playing fast and loose” with people’s health, it has been claimed.
A cross-party group of MPs has written to information commissioner Elizabeth Denham raising concerns over the government’s approach to data protection and privacy.
In a letter, the group accused ministers of paying “scant regard” to both privacy concerns and data protection duties during the coronavirus (Covid-19) pandemic.
Government “appears unwilling to understand its legal duties”
The group accused the government of engaging with private contractors that have “problematic reputations” to process personal data. And it said the government had built a contact tracing proximity app that centralised and stored more data “than was necessary, without sufficient safeguards”.
On releasing the app for trial, the group noted, ministers failed to notify the information commissioner in advance of its data protection impact assessment.
The group also said the government admitted it had breached its data protection obligations by failing to conduct an impact assessment prior to the launch of their Test and Trace programme.
The group said it is now “imperative” that action is taken in order to establish public confidence. The letter stated:
The Government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism.
Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.
The letter added:
ICO [Information Commissioner’s Office] action is urgently required for Parliament and the public to have confidence that their data is being treated safely and legally, in the current Covid-19 pandemic and beyond.
“There is something rotten at the heart of the ICO “
Jim Killock, executive director of the Open Rights Group, who organised the letter, warned the ICO about avoiding the fate of Public Health England – with its closure announced this week by the government. He said:
There is something rotten at the heart of the ICO that makes them tolerate Government’s unlawful behavior.
The ICO is a public body, funded by the taxpayers, and accountable to Parliament. They must now sit up, listen, and act.
As a regulator, ICO must ensure that the Government upholds the law. They must heed the lessons from what’s happened to Public Health England.
The only way to avoid that fate is to enforce the law and discharge their legal responsibility properly.
“Trust is already being stretched wafer thin”
Green MP Caroline Lucas, one of the signatories to the letter, raised the issue of data protection directly with health secretary Matt Hancock in the Commons last month. She said:
Running a risk assessment on data protection is not an optional extra. It’s a legal requirement and it’s essential if people are to be reassured that when they hand over their data to contact tracers, that data won’t be misused.
We will only get through this Covid pandemic if there is trust in ministers and in the systems they put in place. That trust is already being stretched wafer thin.
If people are to have confidence in the test and trace system, there must be an assessment of the risk of data leaks and measures put in place to prevent them.
“Playing fast and loose with people’s health and safety”
Labour MP Clive Lewis, a signatory to the letter, said:
The ICO needs to act to ensure the Johnson government stops playing fast and loose with people’s health and safety.
The Johnson government brought this programme forward more quickly than was practical, and we are all paying the consequences. Privacy is fundamental to trust.
The ICO must investigate and force the Government to fix the problems, to avoid a wider breakdown in trust.
ICO response
Meanwhile, an ICO spokesperson said:
Our regulatory obligations include advising as well as supervising the work of data controllers.
Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK Government, the NHS, local councils and private sector organisations to respond to the public health crisis.
We understand and recognise the Government and other organisations had to act quickly to deal with the national health emergency and we have explained their data protection obligations and provided guidance and expertise at pace to them.
We have published much of this work so there is transparency and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.
We will continue to uphold people’s information rights and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.