The Nuclear Option is OK for Covid-19!

Obviously these are extraordinary times by any standard, there is a pandemic underway and the numbers of people infected is on the rise and by implication the number of people who will die as a result will rise. That doesn’t take into consideration the people who will suffer long term debilitating effects of the Covid-19 virus, along with the already significant cost in terms of jobs and unexpected expenditure.

As a nation we’ve allowed our rights to be eroded a bit at a time, in particular our digital rights. This is continuing at a steady pace and I’m not sure that people even realise it is happening, manifestly the current situation puts a slightly unusual slant on things – but the potential implications seem to be overlooked.

The important thing is that data protection is not a barrier to sharing data,” said an ICO spokeswoman, responding to the question of potentially nationwide mobile phone monitoring. “Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. Data protection law enables the data sharing in the public interest and provides the safeguards for data that the public would expect.

Mark Sweney – The Guardian – 27th March 2020

Just to put this in perspective, this was taken from a six month old article in the Guardian newspaper. To make it even more pertinent, later on in the same article was:-

Earlier this week it emerged that the mobile phone industry had explored the creation of a global data-sharing system that could track individuals around the world, as part of an effort to curb the spread of coronavirus.

The aim of the global network would be to enact “contact tracing” to identify who someone with the virus may have come into contact with.

The Washington Post reported last week that the US government was in talks with Facebook, Google and other tech companies and health experts about how location data from Americans’ phones could be used to fight the pandemic. The report suggested public health experts were interested in anonymous aggregate data that could help map the spread of the virus.

Mark Sweney – The Guardian – 27th March 2020

So six months later where are we? The UK’s attempts at contact tracing don’t seem to be doing so well, there are problems with the fundamentals like testing availability. So not to put too fine a point on it if you can’t get tested, you won’t get a positive result and the contact tracing will exclude you and consequently anyone that you’ve been in contact with. The government app seems to have issues as well, people can be infected and be asymptomatic. It is downloaded on a voluntary basis, it’s dependent on you taking your phone with you and on having a smart phone.

But we’ve given access to the positional and other data from the mobile networks, quite possibly indefinitely – well as long as Covid-19 is around. And with no “cure” in sight, that could be for a long time. Many people are quite happy with the data being available, in this particular case I’m not unhappy about it myself – but there should be safeguards in place.

To the best of my knowledge these haven’t been mentioned, so they could be there but I’m unaware. The Information Commissioners Office says the following about the track and trace apps;

The ICO considers that a Data Protection Impact Assessment (DPIA)is required for contact tracing solutions prior to implementation, given that the processing is likely to result in a high risk to the rights and freedoms of individuals.

Information Commissioners Office

It then goes into some depth regarding the track an trace apps and the data that they should collect, along with it being deprecated – everyone knows how well that works in the digital world. But what’s most concerning to me is the fact that this can run until someone declares that the pandemic is over, it would be interesting to see who will be responsible for making that call. One other comment that seems to be a bit concerning is from the Data Protection Network, where they say:-

I don’t want to bore you with data protection law, but you do need a lawful basis for collecting personal data for any purpose including contact tracing. While many might be forgiven for thinking GDPR meant you needed people’s consent for everything, this is simply not the case.

Contact tracing is a perfect example of where legitimate interests are likely to be the most appropriate lawful basis if you’re a private organisation.

It’s in your ‘legitimate interests’ as a business to support public health efforts and care for your staff, plus its very likely to be in the interests of the individual. (My husband, for one, would want to know if there was a COVID-19 outbreak in the bar he was in last week). In short, if you’re relying on legitimate interests you don’t need to ask for their ‘consent’ but will need to give them a right to object.

If you are a public authority you are likely to be able to rely on ‘public task’ as your lawful basis.

Data Protection Network

So although we’re in the middle of this and given that the government and non-government agencies are collecting data, which they may or may not deprecate and possibly without consent. Have we again by omission, cast away another freedom – given the Nuclear Football to the government as far as the tracking of movement and freedom association goes. Or do we think that at the end – if indeed there is an end to the Covid-19 pandemic, that things will go back to the way they were as far as the location data from our phones goes?