ICO insists it will defend privacy in Covid-19 app

Information Commissioner Elizabeth Denham appeared this week before the Human Rights Joint Committee, chaired by Labour MP for Camberwell and Peckham and former Secretary of State for Social Security Harriet Harman.

The launch of the contact tracing app is being seen as a key step in lifting the UK lockdown - which has been imposed since March 23.

The idea is to use smartphones to detect other phones to form a web of traceable contact, so that if one person is diagnosed with a confirmed case of Covid-19, all those previous contacts can be alerted and go into isolation, or get tested themselves.

The NHS has already ruled out using the technology developed by Apple and Google, with NHSX, the digital arm of the health service, opting to develop its own solution.

Denham told the committee that the ICO has been involved from an early stage in the development of the NHSX app, adding: "It is really important that there is an independent oversight body to make sure the app is being rolled out in a way that is effective but also protects the public interest in privacy and security."

"We expect to look at the data protection impact assessment (DPIA), which is the key document for us to be able to critique and we also expect to be monitoring how the public is responding to the app when it is rolled out."

There have been claims made by some privacy groups that the app could potentially breach data protection laws but Denham dismissed these concerns, insisting: "We’ll take complaints, we’ll do investigations, we’ll do audits but I think it is also very helpful that the NHS wants to talk to the regulator at the design phase to make sure privacy and security is built in and baked in."

When quizzed as to whether the ICO’s early involvement would effectively mean the regulator would be marking its own homework, Denham said: "This is no different from us looking at a new biometric system or a new immigration tracking system. We give expert advice, we do not sign off or approve something because I think if we did that would put us in a conflict to be able to carry out our audit and enforcement measures.

"But the law that Parliament gave me to administer [the Data Protection Act 2018] has us playing all of those roles and I think if you went out and tried to quickly build another commissioner’s office, I am not too sure how that would work."