The COVID-19 outbreak has resulted in an unprecedented focus on the power of data to assist in resolving national emergencies. From health tracking, to volunteer coordination, to accurately identifying the vulnerable, data is being harnessed in both the public and private sectors to try to help bring COVID-19 under control and mitigate its impact.
In the last few weeks we have seen a dramatic increase in wide scale data processing by both the private and the public sectors, particularly in the context of special category data such as health data, across relatively short timescales. Such a rapid turnaround will inevitably raise questions about the extent to which data controllers are fully complying with applicable data protection legislation including the Data Protection Act 2018, the e-Privacy Regulation and the General Data Protection Regulation (“GDPR”) (together, “Data Protection Legislation”), and interesting considerations about balancing a desire to help others with data protection principles that prioritise privacy.
Both the Secretary of State for Health and Social Care Matt Hancock and the Information Commissioner’s Office (“ICO”) have tried to give comfort that data protection compliance should not stand in the way of responding to COVID-19. In a tweet, Mr Hancock stated that the “GDPR does not inhibit use of data for coronavirus response”. The ICO has noted that COVID-19 raises “unprecedented challenges” and that it is “a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern”. However, it is not the case that the rules have gone out the window, and none of the statements made should be taken as giving carte blanche to use personal data indiscriminately. All of the usual rules apply; it is simply that the relevant authorities are likely to take a more practical view when considering whether companies or other entities have fulfilled their legislative obligations.
It is clear from Government responses around the world to date that technology and data are at the forefront of the battle to understand, track and contain the COVID-19 pandemic.
In the UK, the newly enacted Coronavirus Act has indirectly opened the door for new data processing, particularly in relation to law enforcement, and many commentators are concerned about the potential resultant privacy impact on citizens. The UK Government is also considering how phone location data might be used to track the effectiveness of social distancing, a move which could result in unprecedented levels of data sharing between private telecoms organisations and public authorities.
At the moment however, the NHS is leading the way with data use. It has responded quickly, aiming to use technology and data to map its assets (such as beds and healthcare staff) and their deployment, as well as developing contact tracing, volunteering and data sharing initiatives, often in collaboration with private sector organisations.
In Europe, we are seeing a similar balancing act between public health and privacy. Several governments are looking to phone location data for social distancing and contract tracing purposes but we are seeing varying approaches in terms of setting guidelines for personal data usage. It is clear that there is a tension between the desire to do everything possible to halt the spread of the virus and saves lives, versus setting a precedent for broad sweeping incursions into the private lives of citizens at a time when freedoms are already being restricted in ways that have not been seen since the Second World War. One private development of note is the Pan-European Privacy-Preserving Proximity Tracing project, which seeks to harmonise the need for contact tracing with Europe’s more stringent data protection laws.
Internationally, the use of personal data varies considerably, and we are seeing some particularly interesting but potentially privacy invasive uses of personal data in countries such as Israel and Taiwan. No matter where you are, personal data is at the forefront of the fight against COVID-19, and countries such as Singapore and South Korea credit their use of personal data as a key element of their strategies for containing the outbreak.
Of course, holding or processing more personal data also increases cyber security risks and raise the potential for phishing attacks, which are already being seen around the world. At a time when the world’s attention is focussed on the outbreak, cyber criminals are clearly seeing an opportunity and seeking to capitalise on it.
Finally, it is worth also noting that all organisations, no matter the sector they occupy, are finding themselves dealing with new internal data protection considerations, such as in the context of remote working, or trying to decide the extent to which to process the personal data of unwell employees. We do not consider such processing here, but you can find out more in our post on Data Privacy Issues.
Public Sector Responses
The UK Government is having to act more dynamically than at any other time in recent memory to try to manage and contain the outbreak of COVID-19. It is increasingly becoming apparent that innovative uses of data, including processing large volumes of personal data, are at the forefront of the Government’s response.
When the Coronavirus Bill 2020 was enacted on 25 March 2020 (the “Act”), it was scrutinised by data protection practitioners. Although there are no direct data processing provisions, a number of sections will potentially require increased data processing and potential incursions into data subjects’ privacy:
- It is unsurprising that the Act anticipates increased surveillance and possible civil unrest. Section 22 of the Act allows for temporary judicial commissioners overseeing surveillance, and the continuation of the Investigatory Powers Act 2016 (often referred to as the ‘Snooper’s Charter’) without inhibition. Intelligence agencies are able to ask for warrants for a range of surveillance activities including real time surveillance and accessing bulk mobile data. Importantly, if a telecommunications operator is required to provide such data under the Investigatory Powers Act they may also be prevented from disclosing this to the public.
- The Act contains several provisions that deal with general data sharing between entities and Government agencies, providing that such sharing will not contravene Data Protection Legislation. Two key areas where this takes effect are in relation to the food supply chain, and local authority capacity to deal with the transportation, storage or disposal of the deceased.
One of the key critiques of the Act is that it is likely to be left in place following the end of the epidemic and allows powers to last for a period of two years, which is potentially an excessive timeframe. The Government has provided a small concession by introducing six monthly reviews where Parliament may decline to renew the powers. Regulations would then need to be brought forward for the Act to cease to have effect.
Many commentators have raised concerns about the powers granted by the Act. Big Brother Watch has warned that the Act is draconian and appears to “weaken safeguards on mass surveillance powers”. Meanwhile, a number of Britain’s leading data scientists have written an open letter warning of the dangers of technology and data-driven decisions, especially the implications of the NHS introducing a new data-tracking app that may infringe rights. The letter also criticises the lack of transparency on use of mobile phone data and tracking, allowed under the Investigatory Powers Act.
Separately from the Act, the Government has considered how it might use phone location data provided by UK telecommunications operators. BT (owner of EE) and O2 have both been reported to be in talks with the Government regarding the potential use of smartphone location and usage data to confirm whether social distancing measures are working, and whether people are actually staying at home. It may also be leveraged to provide localised health alerts to the public. Whilst O2 has provided aggregated anonymised data so far, there is no suggestion that data which might identify individuals has been required yet. If it was, this would be an unprecedented level of surveillance at a time where less invasive alternatives are becoming available (see more below on Bluetooth-based contact tracing). The ICO has however specifically ‘approved’ the use of aggregated and anonymised mobile phone data to track and monitor behaviour, noting that “[g]eneralised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified. In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place.” This will be of comfort to telco operators being asked to provide data. However, it is worth noting that truly anonymised data does not fall within the scope of the GDPR in any event.
Police and Law Enforcement
In the past few weeks, police forces across the country have come in for criticism about excessive exercises of their COVID-19 related powers and incursions into people’s privacy. Videos have been posted by local forces showing drone footage of people walking in the Peak District with the suggestion that this is in breach of Government guidance, random checkpoints have been established, and more and more people are being questioned about their activities when outside of the home.
In all of those cases, police forces are likely to be processing personal data about individuals, and whilst they have been granted wider powers under the Act, this will still need to be undertaken in a manner which complies with Data Protection Legislation. On a more holistic level, there is a view that although people are willing to suffer some incursions on their privacy and freedoms to deal with COVID-19, recent actions have gone too far, and risk claims that we may now be living in an Orwellian state. This is perhaps an unintended consequence of broad data collection powers being granted without associated guidance on how to utilise such powers in a way which mitigates the privacy impact on individuals.
The NHS has unsurprisingly been at the forefront of Government data usage. On the operational management side, the NHS intends to create a data platform which tracks the movement of critical staff and materials in conjunction with Palantir, also leveraging Microsoft Azure, Google G Suite, Amazon AWS and support from Faculty, a London based AI specialist. The data store is not intended to include health data (although such data may inform the dashboard in an aggregated form), but will provide a dashboard for tracking a wide range of information including A&E capacity, the number and location of beds, ventilators and active NHS staff. By using this system, which acts as somewhat of a health check for the NHS itself, decision makers will be able to allocate resources based on an accurate overview of the real-time responses. We understand that NHSX (the innovation arm of the NHS) has committed to terminating data agreements and removing and destroying data once the crisis is over. The project nonetheless raises interesting questions about collaborations with other organisations. Choosing the right partner is going to have a measurable impact on data subjects’ trust in any COVID-related initiative. Here, data protection advocates have raised concerns about Palantir’s involvement given its controversial work with the US Immigration and Customs Enforcement agency, and projects including predictive policing. The issues are not just legal but also reputational. Data subjects are willing to hand over their personal data to manage a crisis, but may do so less freely if they don’t trust the organisations that they are giving it to.
The NHS’s second major development is in relation to contact tracing. It was reported on 31 March 2020 that the UK government is actively set to develop some form of contact tracing app in the near future. Led by NHSX, the app will leverage Bluetooth to identify individuals who have been in close proximity to each other, storing a record of that contact, and providing a mechanism through which an individual can be notified if they have been near someone that tested positive for COVID-19. Given the anticipated use of Bluetooth, it is possible that NHSX may leverage Singapore’s TraceTogether app which used the same technology, the code for which was open-sourced by the Singapore government last week. You can read more about the proposed app and relevant data protection considerations, along with the privately-developed Covid Symptom Tracker app, here.
In March, Matt Hancock issued four notices under the Health Service Control of Patient Information Regulations 2002 which will require NHS Digital, NHS England and Improvement, health organisations, arm’s length bodies, local authorities and GPs to process and share confidential patient information with each other in relation to COVID-19. The notices run until 30 September 2020 at the time of writing, but may be reviewed and extended. Whilst the notices make clear that the GDPR will still apply, they represent a fairly unprecedented level of interagency data sharing, and may represent a new high water mark in relation to sharing patient details.
Finally, one of the most positive personal data uses to come out of COVID-19 has been the GoodSAM NHS Volunteer Responder initiative, a platform for ordinary people to volunteer to support the NHS in various roles from taking patients home, to collecting shopping, to checking in with individuals at risk of loneliness. Over 750,000 have now provided their personal data to the platform to be matched with volunteering roles.
In the early stages of COVID-19 in Europe, the European Data Protection Board stated that “[d]ata protection rules do not hinder measures taken in the fight against the coronavirus pandemic”. In the context of location tracking, it noted that, “[t]he national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals. The public authorities should first aim for the processing of location data in an anonymous way”. Where anonymisation is not possible, the EDPB’s view is that Member States should introduce legislative measures pursuing national security and public security to allow electronic communication data processing.
In a more recent development, European Data Protection Supervisor (“EDPS”) issued a letter on using mobile phone data for monitoring. In line with the ICO’s position, the EDPS noted that aggregated and anonymised mobile phone data could be used to map the movement of people. However, the EDPS noted that removing obvious identifiers such as phone numbers and IMEI numbers would not be sufficient to effectively anonymise the data. The Supervisor also made clear that there should be transparency towards the public to avoid any potential misunderstandings.
European governments and data protection regulators have taken varying approaches in their COVID-strategies. The CNIL in France has said that data should be limited to the purpose of managing exposure to the virus. It flagged in particular that employers may not take mandatory temperature readings of employees or visitors on a systematic and generalised basis, or require them to complete compulsory medical questionnaires. Italy passed emergency legislation requiring individuals from at-risk areas to notify health authorities, whilst Germany specifically updated its national privacy legislation to allow for processing of personal data in an epidemic, or natural or man-made catastrophe. Furthermore, despite being notoriously privacy-focused, Germany is now looking at introducing some form of contact tracing app, notwithstanding that the government had to back down in March from related plans to track location data due to public backlash.
Supplementing the government approaches, a European technology group unveiled the Pan-European Privacy-Preserving Proximity Tracing (“PEPPPT”) project on 1 April 2020, as an attempt to marry the need for contact tracing with the European Union’s more stringent data protection requirements. It is described as “a fully privacy-preserving approach” to contract tracing. Whilst the PEPPPT project works on a Bluetooth model which is similar to the Singaporean TraceTogether approach, the data it collects is extremely limited. Any apps using the PEPPPT model would only generate a temporary anonymised and encrypted ID, with no location data or identifiable features of end devices collected. Perhaps the most useful aspect of the project is that it acknowledges that there is no ‘one size fits all’ solution for the European Union, and instead provides technical mechanisms and standards that can be tailored to the relevant jurisdiction.
Other international responses
It will be interesting to see which lessons from other international governments the UK chooses to follow. Initiatives globally have varied in their success, and there have been some fairly significant incursions into the privacy rights of individuals.
The initial decline in the rate of new infections in South Korea was widely attributed to the government’s use of Corona 100m, a central tracking app which provides a publicly available map for users to check if they have been within the vicinity of a known case, and proactively informs users where they have been. Concerns have, however, been raised over the level of information provided to the public, as such data can include surname, gender, age, profession and travel history of the infected individual.
Singapore employed TraceTogether, an app which can use Bluetooth to identify people who have been within two metres of a confirmed case for at least thirty minutes. Once users grant the app permission, it begins logging other people using the app who the user has come in close contact with. Where data shows they have come into close contact with someone who has tested positive for the virus, the user can then opt to share their log data, i.e. data on other people, with the government.
Others have taken different approaches. For example, the Indian state of Karnataka has now made it mandatory for those individuals asked to self-quarantine to upload an hourly selfie, to an app called ‘Quarantine Watch’. Poland have implemented something similar for those entering a 14-day mandatory quarantine within the country. An app sends periodic requests for geo-located selfies, with the police being alerted if a selfie is not uploaded within 20 minutes of request.
On the more draconian end of the scale, the Israeli government passed an emergency law in March that allows the police and the security services access to the entire nation’s mobile phone location data in an effort to curb the virus. Hong Kong have embraced wristbands for those in quarantine (now reportedly with a GPS tracker built in), whilst Taiwan have employed what they have called a mobile phone based ‘electronic fence’ system, which alerts police and local officials if those in quarantine move away from their home address or turn their phone off. China has also reportedly introduced a health code system where users are given a colour ranking which will determine whether they should be quarantined or not, and potentially limits their ability to access public places, but little is known about how users’ personal data is used to generate these classifications.
There have also been a wide range of responses in the private sector to try to manage the COVID-19 outbreak, with several organisations focussing on practical solutions such as developing new medical tests or filling the ventilator shortfall. On the personal data front, the response falls into two key categories: symptom tracking and community responses.
The most well-known private personal data response in the UK is the Covid Symptom Tracker app developed between ZOE, a health and data science company, and Tim Spector, a genetic epidemiology professor at Kings College London. The app asks users to report their symptoms daily, even if well, to be added to a repository that is being used by the NHS, and shared with universities for research purposes. The app’s privacy compliance is based on user consents, with purposes apparently limited to various COVID-19 related purposes.
In a similar vein, TrackTogether and LetsBeatCOVID.net use self-reported symptoms for tracking related purposes. TrackTogether focuses on using symptoms and postcode data to show users how many known cases are in their immediate area. LetsBeatCOVID.net has been developed by MedShr, which has previously styled itself as ‘Instagram for doctors’, and feeds aggregated self-reported symptoms back to MedShr’s one million doctor users. It builds on MedShr’s initial purposes of allowing doctors to connect and share knowledge with each other. Again, the model is based on anonymous but consent-based submissions.
In the US, Amazon’s Alexa and Apple’s Siri can now assist users with diagnosing COVID-19 by asking about their symptoms, travel history and possible exposure. It remains to be seen whether that capability will be rolled out to the UK. If it is, that could become the first example of COVID-related health data being shared with profit-making, commercial organisations, who will need to be very careful about how they inform users of the privacy implications of collecting their personal data.
As well as the more sophisticated apps, we have seen a huge rise in the number of informal community organisations and volunteer groups. These have proven critical in the early stages of COVID-19, particularly for ensuring the vulnerable have enough supplies. Although the individuals involved may not have engaged with data protection principles before, the group coordinators will be data controllers in relation to their volunteers and those they help. Pleasingly, this is where the ICO is proving to be most pragmatic, posting a helpful blog post for community groups. It takes an extremely sensible approach to the GDPR and sets out in simple terms the grounds on which these groups could use personal data.
Building on the community organisations, a number of new platforms are being developed to connect volunteers with a variety of community organisations easily online, and help allocate tasks efficiently.
Cyber-attacks and phishing
With new repositories of personal data being created, and individuals potentially being less cautious with their personal data when used for the purpose of helping respond to the crisis, it is no surprise that the volume of cyber and phishing attacks has gone up in the wake of the COVID-19 outbreak.
Research by the internet Security company Sophos has found that the volume of Coronavirus email scams nearly tripled in the week commencing 23 March 2020, with almost 3% of all global spam now estimated to be Covid-19 related. Research from Action Fraud suggests there have been 105 coronavirus-related reports since 1 February 2020, with total losses reaching nearly £970,000.
Examples of these scams are wide-ranging and include fraudulent messages sent by criminals posing as:
- the UK Government, texting individuals two messages in succession, the first mimicking the bona fide Government text asking everyone to stay at home, and the second suggesting that the recipient is facing a fine for leaving their home on multiple occasions in a single day;
- the World Health Organisation claiming that an email attachment details how recipients can prevent the disease’s spread. The attachment, however, instead infects computers with malicious software;
- the Centre for Disease Control and Prevention, using one of the organisation’s legitimate email addresses, sent by a spoofing tool, spreading unfounded rumours about coronavirus. Hackers gain control of the email account once victims click on a link in the email; and
- the Department for Education asking parents of children eligible for free school meals for their bank details, so that their child could still receive meals during school closures. This goes some way to illustrate the lengths cyber criminals are willing to go to in order to create an opportunity from this pandemic.
The Association of British Insurers has also warned that times of austerity tend to bring an increase in insurance fraud, which is illustrated by the various Coronavirus insurance scams that have emerged already in the US. There has been an increase in the registration of webpages relating to the Coronavirus suggesting that if the outbreak intensifies, it is highly likely that the volume of such attacks will rise. The National Cyber Security Centre has put out guidance to individuals and companies to help spot phishing emails, the main message being that it is advisable not to click any links before verifying that the sender is genuine.
See Five Practical Steps to Managing Your Cyber Security Risk During a Crisis for further advice and tips on how to improve your cyber security posture.
The overview above shows the slightly overwhelming uses to which personal data is currently being put to fight COVID-19. Whatever the method, it is clear that governments and private organisations are rapidly gathering swathes of information on citizens in the name of combatting a public health emergency.
However, speed and a desire to contribute to the current crisis should not be used to justify data privacy compliance going out the window. For both public authorities and private organisations, Data Protection Legislation still binds them and their actions, and should remain a central consideration in their strategies. From data protection impact assessments, to purpose limitations, to considered retention policies, we would still expect to see all of the usual steps being taken as part of any project, just perhaps faster than ever before. Of course, whether this is actually happening in practice is another question. It will be interesting to see what happens to these initiatives, and the data that has been collected, once COVID-19 is under control. It may be that we see regulatory action in response to organisations that are perceived to have taken advantage of people’s willingness to share their information for commercial gain. Behaving in a trustworthy manner with people’s data is more important than ever before.
Putting the strict requirements of the Data Protection Legislation aside, data subjects are facing unprecedented incursions into their privacy rights. Rightly, data subjects are willing for their data to be used more than ever for the ‘greater good’, but there are fears in some quarters that we are in the process of setting a new normal and effectively opening the floodgates. If individuals accept unprecedented levels of data sharing now, will it be possible to go back to a more restrictive and privacy-conscious world when the outbreak is over? Will aggregated tracking become the new normal? We must hope that this situation is temporary, and that business as usual returns swiftly once COVID-19 is under control, otherwise we may see far more scrutiny of overzealous data processing where there is no pressing need.
It is vital that Governments continue to strive to achieve a balance between public health and privacy so that the latter does not become another casualty of this pandemic.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2020