An Act for the App? Is the NHS contact app bad for your privacy?

Following the publication last week by the Joint Committee on Human Rights of its report on the proposed NHS App and the risk of adverse effects on privacy and human rights, the Committee has drafted a Bill – the Digital Contact Tracing (Data Protection Bill) - and sent it to the Health Secretary, Matt Hancock.

This article provides a brief analysis of the Bill and, in particular, looks at some of the gaps in human rights and data protection law and oversight it is designed to plug. For my thoughts on the report itself see here.

The Bill starts by identifying ‘digital contact tracing data’ as ‘personal data obtained through digital contact tracing’. 

Personal data is already defined in the s3(2) of the Data Protection Act 2018 (DPA) as ‘any information relating to an identified or identifiable living individual’,  and so the clear intention is that special attention should be paid to this particular sub-set of personal data.

(This definition may need to be re-visited:  if an individual is not ‘identifiable’ from the contact data (and that is the NHS intention), then the contact  data may not be ‘personal data’ and would not fall within the definition in clause 1).

Clause 2 of the Bill defines the term ‘permitted contract tracing purposes’ as meaning the protection of those infected with Coronavirus,  and preventing or controlling the spread of Coronavirus. The definition is important because by clause 9 an ‘authorised person’ can only process digital contact tracing data for these permitted purposes.

This appears to be a response to the evidence given to the  Committee by the NHS that the contact data could be used for ‘health, public health and associated research purposes’. It seems clear that in the Committee’s view that definition was too wide and needs to be curtailed by primary legislation. It also may be a reaction to the evidence about the risk of ‘function creep’ where the app could be updated to include further, more specific, information over time.

The Bill seeks to ensure that safeguards have the force of law. Thus, although the NHS says it has consulted the National Cyber Security Centre (NCSC), the Bill makes periodic review by the NCSC compulsory.  There must also be ‘approved arrangements’ for the deletion of the data as soon as possible, as well as periodic reviews of the need or digital contact tracing (every 21 days). Further provisions cater for publication, regulations and criminal offences.

One interesting aspect of the Bill is the provision made for a Digital Contact Tracing Human Rights Commissioner (the Commissioner) with a specific brief to review the application of the ‘law relating to privacy, data protection and human rights’ to digital contact tracing (clause 6), as well as the security, use and risks attached to it.

It, is of course, the Information Commissioner who is appointed pursuant to the DPA to carry out a whole range of functions in relation to personal data. These include advising, monitoring, reporting, advising, enforcing, investigating and reporting on the issue (Sch 12 to the DPA).

 In evidence to the Committee the Information Commissioner made it fairly clear that she thought she could and should provide the appropriate review and enforcement functions in relation to contact data tracing, and pointed out the time it would take to appoint a new commissioner. However, the Committee seemed to be concerned that the Information Commissioner’s remit did not included privacy and human rights matters, and this is reflected in the statutory functions of the new role defined in the Bill. 

This concern was further reflected in the letter by the chair the Committee, Harriet Harman MP, to the Secretary of State, where she argued that ‘The current law is an unsatisfactory mishmash spread across the GDPR, the [DPA], Article 8 [ECHR] and caselaw on the right to privacy’.

The Committee’s report and the draft Bill seem to be the only serious attempts to provide extra protection and statutory oversight to what will amount to a huge exercise of mass surveillance. The right choice must be to take the Committee’s route of circumscribing as closely as possible the exercise of these powers  by means of primary legislation and very specific oversight, rather than take the risk that current safeguards will be sufficient.