ICO could be the oversight body for Covid-19 contact tracing app
The contact tracing app being developed by NHSX to help the UK to come out of lockdown measures caused by the Coronavirus could be monitored by the ICO. Giving evidence today at Parliament’s Human Rights Committee, Information Commissioner Elizabeth Denham said the ICO could embark on the role of providing oversight. It is currently involved in commenting on the plans and expects to receive the Data Protection Impact Assessment and the privacy notice on the app ‘very soon.’ Denham said that to establish a new oversight body in this timetable would be tricky, and it would not be vested with the array of powers that the ICO has. Denham said that she will deal with any data protection complaints about the app, and NHSX has already committed itself to voluntary audits by the ICO.
Denham stressed that the ICO is not there to ‘sign off or approve’ the app. It will be an expert adviser and enforcer.
Speaking at the same evidence session, NHSX CEO, Matthew Gould, said that the app will not gather personal information. When the central database receives a proximity notification, it will not identify the individual. The app will, however, ask for the first three digits of the individual’s postcode so that public health authorities can be alerted to a cluster of infections in a particular area.
Both Denham and Gould emphasised the need for creating trust in the app. “The general public needs to understand the disclosed uses of the data,” Denham said.
Two academics speaking at the session, Dr Orla Lynskey, Associate Professor of Law, London School of Economics, and Dr Michael Veale, Lecturer in Digital Rights and Regulation, University College London, emphasised the need for legislation to set out how data protection principles would work in this context. The key aspects from the privacy perspective are the voluntary nature of the app, transparency, data minimisation and avoiding mission creep. They argued for a decentralised version of the app on privacy grounds as opposed to the centralised version chosen by the UK Government.
Gould said that they have to balance different interests and will keep this issue under review. He admitted that additional data collection could not be ruled out, but would be ‘by choice’.