Blog: Engagement key in protecting people’s privacy across the UK during the pandemic

13 October 2020

Information Commissioner Elizabeth Denham highlights the positive results of the ICO’s engagement with the UK devolved administrations on the use of data in the fight against COVID-19.

In times of crisis, the value of collaboration is crucial. That’s been central to the ICO’s approach during the pandemic, whether that’s benefiting from the shared expertise of international colleagues through the Global Privacy Assembly, or working alongside organisations within the UK.

Last month, I wrote about the engagement with the Department of Health and Social Care on the England and Wales NHS COVID-19 app, and how this positive relationship encouraged the necessary consideration of people’s data protection rights within the app.

We have enjoyed similar positive engagement in Northern Ireland, Scotland and Wales, where public health is a devolved matter. My offices have been working closely with the devolved administrations and other public bodies since the start of the pandemic to ensure that any COVID-19-related projects adopted a privacy by design approach.

This work has included advice and guidance on the shielding and manual contact tracing programmes, the collection of customer details, as well as the Data Protection Impact Assessments (DPIAs) for proximity apps in Northern Ireland and Scotland. We provided feedback on areas including automated decision making, improving transparency information and clarity on people’s information rights and legal basis.

Northern Ireland was the first administration in the UK to launch a proximity app, and the first app in the world to have interoperability with another country, in this case with the Republic of Ireland. The NI Department of Health (DoH) used the ICO’s expectations document as reference for prospective developers. To ensure full transparency and open public collaboration, the source code, the related DPIA and correspondence with the ICO on the StopCOVID NI app have been published by DoH.   

The DoH continued to engage with my office in Northern Ireland while working on the recent update of their app, which is now available to children aged 11 and above. We were clear that children’s privacy and level of understanding must be considered in all aspects of the app’s design.

The Scottish Government has worked openly and transparently with my Edinburgh office to ensure people’s information is being handled appropriately. This engagement assisted in increased understanding of the data flows and helped, in the case of the Protect Scotland App, to produce a clear, unambiguous and accessible DPIA that has received very positive feedback.                    

And my team in Wales played a key role in facilitating and supporting discussions between health bodies and local authorities as the Test, Trace, Protect programme was developed. The collaboration from the authorities involved in the delivery of the programme allowed us to provide advice that will help reassure the Welsh public that their data is being processed lawfully.  

Additionally, our engagement with DHSC around the development of the England and Wales COVID-19 app meant that we were able to provide timely and relevant advice to the Welsh Government on how the app would impact the personal data of Welsh citizens.

Our regional support has not just been about working with the public sector. Our local advice services have been busy dealing with enquiries from businesses, organisations and members of the public based in Northern Ireland, Scotland and Wales, providing tailored advice reflecting any differences in the devolved approaches to the COVID-19 response and information rights more generally. In Wales, this includes the provision of advice in the Welsh language for Welsh speaking stakeholders.

What’s important throughout is that people’s privacy rights are being considered at the heart of those apps and services. That’s crucial to trust, so people have the confidence to download an app or to hand over their data to help supress the spread of COVID-19.

Our responsibility as a regulator is to support and advise organisations to comply with data protection law. And my regional offices are best placed to provide guidance to and engage with the three devolved administrations and other local stakeholders to ensure people’s privacy continues to be protected.