A blog from Elizabeth Denham, Information Commissioner
26 March 2021
From contact tracing apps to temperature checks at airports, from businesses recording customers’ details to organisations sharing health data to help the vulnerable, it is clear that the responsible use of personal data has been vital in responding to the COVID-19 pandemic.
Public trust has been at the heart of each of these projects, and I am pleased that the ICO has been able to help organisations earn that trust by providing pragmatic advice to ensure data is used in a way that people feel is fair.
Now, as the UK Government reviews the prospective role of domestic COVID-status certification schemes, the ICO continues to advise on privacy considerations that can contribute to schemes earning public trust from the outset.
These are early days – and that’s exactly the right time for us to be involved. We’ve engaged with UK Government about how data protection law and regulation need not be a barrier to the responsible use of personal data in any certification scheme, and are engaging with the devolved administrations.
We understand the potential benefits of people being able to demonstrate their COVID-status, including safeguarding public health and reopening parts of the economy.
The success of any future COVID-status schemes will rely on people trusting them and having confidence in how their personal data will be used. It is crucial that, from the start, thought is given to how data can be used fairly and how this can be explained clearly to people using a scheme.
Any organisation processing personal data as part of a COVID-status certification scheme would be responsible for using that personal data appropriately and for complying with data protection law. While these schemes may be new, the principles are the same.
That means high standards of governance and accountability to ensure compliance with data protection principles, including transparency, fairness, data minimisation and storage limitation, and utilising a ‘data protection by design’ approach as part of their planning.
If the UK plans to develop digital infrastructure as part of any COVID-status certification schemes, then they must be secure, fit for purpose and compliant with the law. Much has been learned over the last year in this area and I have recommended that good practice from other digital solutions developed to address COVID-19 be taken into account.
One lesson is that people are sometimes concerned that information collected for one purpose might then be used for other purposes, something I discussed with MPs in January.
The UK data protection regime can offer people reassurance here. The law expects organisations to be clear why they are using data, and my office can act if there are concerns of ‘scope creep’.
The UK administrations also have a leadership role to play in instilling public trust and confidence. There is a risk that without a strong line from leaders on what is and is not acceptable, a range of organisations will offer COVID-status certification services, likely with varying levels of maturity in terms of good governance and protections for personal data. The failing of one initiative may undermine public trust in all such schemes.
Over the last year we have sought to support organisations as they strive to protect information about people and comply with data protection rules through the pandemic. Our Coronavirus Hub contains all our guidance in this area and is updated as new issues emerge so that our support remains relevant and practical.
There is still work to do before UK Government reaches any conclusions following its review and data protection will remain a key consideration. My office welcomes the engagement to date, and looks forward to continuing to be consulted on COVID-status certification schemes across the UK.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.