Data privacy and the Information Commissioner’s Office during a crisis: Lessons learned from the Covid-19 pandemic

Key findings

• Public health programmes were deployed unlawfully, and underpinned by negligent data governance. All three programmes failed to comply in full with the requirement in Article 35 GDPR for DPIAs. This was most notable for Test and Trace and for the Datastore, where no DPIA was entered into with providers prior to entering in agreements with them. Had they complied with the law, some of the subsequent data breaches could have been prevented. These included confidential contact tracing data being leaked on social media channels by Test and Trace personnel, being abused to harass women, or being lost due to their storage on an excel sheet.

• The ICO acted as a “critical friend” and did not enforce the law effectively, which led to these programmes falling short of important safeguards and data protection requirements. This exposed the public to significant risks and harms as outlined above. This approach contributed to the delay to the rollout of the Covid-19 app after the government ignored the ICO’s advice about a decentralised app.

• The ICO was absent from data protection conversations when it was needed most, most notably from discussions regarding the NHS Data Store, and continues to have a limited, hands-off approach to the Federated Data Platform. This has left civil society and the public to fill the regulatory and oversight gap and ask challenging questions.

• The ICO was ill-prepared to deal with an emergency compared to other UK regulators, such as the Financial Conduct Authority (FCA) and other European data protection agencies, who took action to ensure that their government’s pandemic programmes complied with data protection law.

• The DPDI Bill will weaken the UK GDPR’s accountability framework.

• The DPDI Bill will water down the statutory function of the ICO and threaten its independence.