Digital Privacy

Data privacy and the ICO during a crisis: Lessons learned from the Covid-19 pandemic

A new report exposes failures by the Information Commissioner’s Office (ICO) in protecting the public privacy and data rights during the Covid-19 pandemic.

The report analyses use of data in three key Covid-19 health programmes NHS Test and Trace, NHS Contract Tracing App and the NHS Datastore. It compares the ICO’s response to that of other European data protection authorities and UK regulators; analyses the future impact of new changes to data protection law; and sets out policy recommendations for the government and ICO.

Key findings

  • Public health programmes were deployed unlawfully, and underpinned by negligent data governance. All three programmes failed to comply in full with the requirement in Article 35 GDPR for DPIAs. This was most notable for Test and Trace and for the Datastore, where no DPIA was entered into with providers prior to entering in agreements with them. Had they complied with the law, some of the subsequent data breaches could have been prevented. These included confidential contact tracing data being leaked on social media channels by Test and Trace personnel, being abused to harass women, or being lost due to their storage on an excel sheet.
  • The ICO acted as a “critical friend” and did not enforce the law effectively, which led to these programmes falling short of important safeguards and data protection requirements. This exposed the public to significant risks and harms as outlined above. This approach contributed to the delay to the rollout of the Covid-19 app after the government ignored the ICO’s advice about a decentralised app.
  • The ICO was absent from data protection conversations when it was needed most, most notably from discussions regarding the NHS Data Store, and continues to have a limited, hands-off approach to the Federated Data Platform. This has left civil society and the public to fill the regulatory and oversight gap and ask challenging questions.
  • The ICO was ill-prepared to deal with an emergency compared to other UK regulators, such as the Financial Conduct Authority (FCA) and other European data protection agencies, who took action to ensure that their government’s pandemic programmes complied with data protection law.
  • The DPDI Bill will weaken the UK GDPR’s accountability framework.
  • The DPDI Bill will water down the statutory function of the ICO and threaten its independence.

ATTEND THE launch event

Join us for the online launch of our report into how your confidential medical data was handled during the COVID-19 pandemic.

Register now