The ICO we want
Last week, Open Rights Group (ORG) found out that the Information Rights tribunal ceased their general stay. This comes in conjunction with the Information Commissioner (ICO) allegedly expressing concerns over the Test and Trace scheme, and their handling of mandatory data protection checks.
Whether these are preludes to a return to effective data protection enforcement is yet to be seen. The Government’s recent disclosure of their NHS Covid-19 contractual deals with private tech firms has exposed new issues, piling up on the already long list of concerns and contraventions we have covered in the past. On the other hand, the ICO official stance has been feeble, to say the least, and we yet have to see any meaningful action to compel the Government to amend these manifest violations of privacy laws.
Given these developments, we encourage the ICO to regain control of the situation, and effectively protect our rights to data protection.
The ICO should call out failures to protect our personal information
So far, the Government has failed to properly mitigate risks in the development of the NHSX Contact Tracing App, as well as to produce a mandatory risk assessment for the Test and Trace scheme.
Furthermore, an outsourcing firm accidentally shared personal information of their contact tracers’ staff, in what clearly constitute a data breach. However, Serco reportedly intend not to refer the incident to the ICO, despite the law compelling them to do so within 72 hours after having become aware of it. It is also worth noticing that, according to the same report, “when the Home Office made a similar error last year it referred itself to the Information Commissioner”.
We believe the ICO should call out these stark contraventions of data protection rules. This would represent a first, meaningful step toward keeping the Government and its partners in check, and ensure that next moves are planned and implemented with the care and competence the situation demands.
The ICO should investigate into violations of data protection rules
The Data Protection Act provides to the ICO a wide array of tools to sanction data protection rules. These include the power to issue written inquiries, conduct compulsory audits, impose fines, and demand changes in the way personal data are stored and used. Given the sensibility of contact tracing data, we cannot think of a more convincing case to resort to these regulatory powers.
On the other hand, the violations we mentioned above are but the facts which kept emerging over the past month, indicating that we may very well be scraping the surface.
Therefore, we expect the ICO to rely on their statutory powers to assess the real scale of the violations we have witnessed so far, and to put and end to the malpractices which are currently taking place.
The ICO should set red lines for Digital Contact Tracing
Contact tracing involves an unprecedented level of intrusiveness on our personal life. Furthermore, the same nature of personal data related to Covid-19 infections or other health information makes initiatives in this field extremely sensitive.
On the other hand, the Government has rejected parliamentary attempts to enshrine legal safeguards in legislation, and is planning to intensify its efforts to establish an immunity passport scheme, whose risks are self explanatory.
In this regard, we note that the Government disregarded ICO’s recommendations concerning the development of contact tracing app. For instance:
- the Contact Tracing App relies on a centralised model, despite ICO’s recommendation “to explain why it is necessary to do so”. On the other hand, Number 10 is reportedly pressuring NHSX to switch to a decentralised approach, casting further doubts over the actual necessity of a centralised model of contact tracing.
- Contact Tracing data in the current Test and Trace scheme will be retained for 20 years, against ICO’s request to “Store data for the minimum amount of time necessary”; and
- the Contact Tracing App is affected by serious security flaws, and “Data stored on device is not encrypted”. However, the ICO recommended to “Apply appropriate cryptographic/security techniques to secure the data, both at rest [..] and in transit”.
Therefore, we believe the ICO should be more assertive in holding the Government accountable for diverging from their recommendations, in particular when such decisions result in clear risks or contraventions.
What’s next?
We have already filed a complaint to the ICO denouncing Test and Trace legal breaches, and we will continue to put pressure on the Government to establis legal and practical safeguards in these systems.
Want to know more? Take a look at the campaign page on our website, or join us and help us upheld our digital rights during these turbulent times.