Coronavirus: A Regulatory Update

There are not many areas of law entirely unaffected by the coronavirus (it comes to something when even wills and trusts starts to look important) but data protection has a place at the vanguard. As the situation continues to develop, there are more and more updates. Here are a collected few.

First, the Information Commissioner has issued a document entitled ‘The ICO’s regulatory approach during the coronavirus public health emergency’. The policy recognises the extreme pressures on public services, and the financial impact the emergency measures are having on businesses. The role of the regulator does not stop, but, Wilmslow says, it is “committed to an empathetic and pragmatic approach” which effectively means not pretending the real world isn’t happening, whilst still taking action in the most important cases. In short, if you are a controller who struggles to comply with an aspect of data protection law because of the impact of the crisis (subject access compliance; data breach notification), expect the ICO to be receptive; but if you seek to take advantage of the crisis expect the proverbial tonne of bricks. Regulatory action will not cease, but will take longer and may take a different shape, including that “this is likely to mean the level of fines reduces”.

Second, the European Data Protection Board has now issued ‘Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak’. This does very much what it says on the tin. It is a collation of pandemic-specific advice around the possible legal bases for processing in Article 9 GDPR, the application of the data protection principles in Article 5, and guidance on international transfers of personal data for scientific research responses globally. Note the emphasis on processing for the purpose of scientific research, but it is a helpful document focussed on some potentially difficult issues.

Third, one of the areas of real interest and discussion is on the use of personal data for contact tracing products, with assorted privacy impact concerns. One such development is the joint initiative by Apple and Google (the Contact Tracing Framework) to enable the use of Bluetooth technology to help governments and public health authorities reduce the spread of the virus. The Information Commissioner has published ‘Opinion 2020/01: Apple and Google joint initiative on COVID-19 contact tracing technology’ which sets out her view of the data protection compliance of that initiative. The Opinion is long and detailed, and worth reading, published because of the wider relevance it has to similar developments, but the Commissioner is broadly supportive of the initiative and the restrictions she understands to be part of the initiative and considers that it appears to be complying with the principle of data protection by design and default.

Fourth, linked to this, the EDPB has also agreed ‘Guidelines 04/2020 on geolocation and other tracing tools in the context of the COVID-19 outbreak’, which particularly addresses the use of location data to aid pandemic modelling and using contact tracing. The EDPB has explained that it “stands by and underlines the position expressed in its letter to the European Commission (14 April) that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users”, and that the Guidelines contain an annex which is a guide to the development of contact tracing apps. 

Fifth, as part of the domestic data development efforts, NHS Digital has set out the two formal legal directions it has received from the Secretary of State and from NHS England (both made under the Health and Social Care Act 2012) to establish information systems to collect and analyse data in connection with COVID-19, and to develop and operate IT systems to deliver services in connection with COVID-19.

Sixth, the Secretary of State has also made four published legal directions under regulation 3(4) of the Health Service Control of Patient Information Regulations 2002, in force until 30 September 2020. They require that confidential patient information and personal data is shared for purposes of combatting coronavirus and aim to give health organisations and local authorities the security and confidence to share the data they need to respond to coronavirus (COVID-19). It is said that for “patients, this means that their data may be shared with organisations involved in the response to coronavirus (COVID-19), for example, enabling notification to members of the public most at risk and advising them to self-isolate.” The directions are issued to: NHS Digital, NHS England, NHS Improvement, health organisations, local authorities, arms length bodies and general practitioners. Their terms are worth noting; the definition of a “COVID-19 Purpose” is very broad.

 Christopher Knight