June 4, 2020
The Covid-19 pandemic has provided an early test of some of the more obscure of the GDPR’s provisions. One particularly interesting area is the pilot of the contact tracing app on the Isle of Wight to provide data on the potential spread of the virus. Given that this will involve the use of individuals’ health data and location data, there are a number of privacy and security issues that need to be addressed in the development and roll out of the app.
As such, the collaborative team of the Department of Health and Social Care, NHSX and NHS England have consulted with the Information Commissioner’s Office (ICO) about the development of the app. In the ICO’s words:
“We are reviewing the Data Protection Impact Assessment (DPIA) for NHSX’s pilot of its contact tracing app in the Isle of Wight. We’ll feedback our comments as quickly as possible so that they can be usefully included in the learnings from the trial.”
“Even though there is no legal requirement for them to do so, NHSX has asked us to informally review its DPIAs for the IoW trial and for a national roll out.”
Without delving too deep into the specific detail of the app, it has highlighted a very important area of the GDPR that has not had much attention since May 2018 – “prior consultation”. So, what is “prior consultation” and when is it required?
Under Article 35 of GDPR, a DPIA is required where the use of personal data for a specific purpose is “likely to result in a high risk to the rights and freedoms” of individuals. Some specific circumstances are also given where a DPIA is required, where:
DPIAs are particularly relevant when using and developing new technologies.
All of these are likely to be relevant to the Covid-19 app, but there are many circumstances where they could apply especially given the prevalence of apps and online services available – apps to track mental health, dietary and fitness plans, the increased use of biometric and genetic data and targeted advertising based on those special categories of data. All need careful planning and consideration of the risks that might be presented to users.
Then, where a DPIA is required and the use of personal data presents a high risk to individuals without sufficient mitigating measures in place, the data controller is required to consult with the relevant supervisory authority (the ICO). The DPIA for the pilot was published recently and it is not clear at this stage whether this is because the measures set out in the DPIA are insufficient or not, but they have consulted the ICO in any event.
Once a request for prior consultation is made, the ICO (or other supervisory authority) then has up to eight weeks, with a possible extension of up to six weeks, to respond with “written advice” to the data controller. The ICO is keen to stress that this consultation “is not an approval process” and the status of that advice will be interesting – if it is not published proactively for the Covid-19 app, there are certain to be Freedom of Information requests submitted for a copy.
Following this process, a data controller does not have to agree with the advice of the ICO and there are many examples of when the ICO’s view on an issue has been challenged successfully, so the prior consultation process does bring interesting questions to mind. Would the ICO take enforcement action if their advice is not heeded? If the data controller carried on regardless, there are measures the ICO can take to prevent the data being used in an unlawful manner, but this would require the ICO to move quickly, something they are not always renowned for. Would the parties be willing to engage in lengthy litigation to resolve the issue? That creates potentially huge time and cost implications (see the challenges of the ICO’s recent notice of intent to fine British Airways and Marriott) and may not be the most efficient means of resolution.
However, this will be a useful precedent to be see the approach taken by the ICO as part of the prior consultation process. Not all prior consultation exercises will have the level of public interest as the Covid-19 app, but the transparency of this exercise will be of interest to many people, especially those working in the privacy sphere.
And what this does highlight is the fact that the DPIA process is not a box ticking exercise, just some paperwork to be completed before an organisation can plough on with their intended path regardless. It must be a genuine and live risk assessment putting individuals’ rights and freedoms at the fore. If those risks cannot be mitigated to an acceptable level, you may need to change course or partake in a prior consultation exercise. So detailed planning from the outset and building data protection by design and default into all project management and product development processes is the most effective way of ensuring you do not trip up further down the line.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.