ORG report finds that ICO failed to hold the government to account over use of public health data during pandemic

ORG’s new report exposes failures by the Information Commissioner’s Office (ICO) in protecting the public privacy and data rights during the Covid-19 pandemic.

Failure to act

Data privacy and the Information Commissioner’s Office During a Crisis analyses the ICO’s role in relation to three key Covid-19 health programmes:

  • NHS Test and Trace
  • NHS Contract Tracing App
  • NHS Datastore.

Our report finds that the ICO repeatedly failed to take action over clear breaches of data protection law by the government. The ICO’s decision to act as a “critical friend” meant that it was left to civil society and the media to challenge the government over a lack of transparency and accountability, excessive retention of data, missing and late Data Protection Impact Assessments (DPIAs), and the involvement of private companies without proper safeguards.

As a result of these failings, there are concerns that the large datasets created during the pandemic could still be used in new and unexpected ways in the future. Data sharing agreements with private companies like Palantir have allowed private corporations to take advantage of the pandemic to siphon sensitive data from national public health databases. Last month, Open Democracy reported that hospitals are being forced to share patients’ data multinational corporations like Palantir.

The future of data protection in the UK

The report provides further evidence that the Data Protection and Digital Information (DPDI) Bill should be dropped because it would further undermine the independence of the ICO. The Bill also presents a clear threat to the UK’s data protection framework when in fact the UK needs more robust data governance and accountability requirements, and stronger GDPR complaint mechanisms.

Policy Manager, Abigail Burke, said:

“The pandemic presented a unique set of difficulties for government but this does not excuse the general disregard for our privacy rights displayed by government and permitted by the ICO.

“The ICO’s failure to enforce data protection law undermined public trust at a time when it was desperately needed. We are still feeling the implications of this negligent data governance with the continued sharing of public health data with companies such as Palantir.

“With the government attempting to weaken data protection rights through the Data Protection and Digital Information Bill, it is more important than ever that the UK has a strong and independent data protection authority that is willing to stand up to the government, public bodies and corporations.”

About the report

The report analyses use of data in three key Covid-19 health programmes NHS Test and Trace, NHS Contract Tracing App and the NHS Datastore. It compares the ICO’s response to that of other European data protection authorities and UK regulators; analyses the future impact of new changes to data protection law; and sets out policy recommendations for the government and ICO.


Data privacy and the Information Commissioner’s Office during a crisis.


Key findings

  • Public health programmes were deployed unlawfully, and underpinned by negligent data governance. All three programmes failed to comply in full with the requirement in Article 35 GDPR for DPIAs. This was most notable for Test and Trace and for the Datastore, where no DPIA was entered into with providers prior to entering in agreements with them. Had they complied with the law, some of the subsequent data breaches could have been prevented. These included confidential contact tracing data being leaked on social media channels by Test and Trace personnel, being abused to harass women, or being lost due to being stored on an excel sheet.
  • The ICO acted as a “critical friend” and did not enforce the law effectively, which led to these programmes falling short of important safeguards and data protection requirements. This exposed the public to significant risks and harms as outlined above. This approach contributed to the delay to the rollout of the Covid-19 app after the government ignored the ICO’s advice about a decentralised app.
  • The ICO was absent from data protection conversations when it was needed most, most notably from discussions regarding the NHS Data Store, and continues to have a limited, hands-off approach to the Federated Data Platform. This has left civil society and the public to fill the regulatory and oversight gap and ask challenging questions.
  • The ICO was ill-prepared to deal with an emergency compared to other UK regulators, such as the Financial Conduct Authority (FCA) and other European data protection agencies, who took action to ensure that their government’s pandemic programmes complied with data protection law.
  • The DPDI Bill will weaken the UK GDPR’s accountability framework.
  • The DPDI Bill will water down the statutory function of the ICO and threaten its independence.

Hands Off Our Data

Your data will be used against you and you’ll have less ability to do anything about it.
Find Out More
Hands Off Our Data