The UK government recently approached O2, Vodafone, EE and Three about using phone signals as part of its efforts to tackle the coronavirus outbreak. The data is anonymised so its use is in compliance with UK and EU data privacy laws but it may still be an infringement of the human right to privacy under the Human Rights Act.
Now there is talk of a NHS app which can track your recent proximity to anyone who tests positive for Covid-19.
Data regulators such as the UK’s Information Commissioners Office (“ICO”) are aware of the struggles organisations and their governments are facing in the current Covid-19 pandemic.
The ICO has issued a statement to say that it does not have the power to change statutory deadlines such as 30 days to respond to a subject access request bit it will be sympathetic when considering enforcement action as it recognises that most companies’ focus has been elsewhere, so it will take into account the compelling public interest in the current health emergency.
Whilst public health interests can provide legitimate reasons to increase monitoring of individuals, mass surveillance by governments must be approached with caution. The latest developments in tracking technologies using mobile phone apps and data could have serious implications for privacy and other human rights long after the coronavirus pandemic has subsided.
“Take up of the NHS app will need to reach 60% of the population for it to be effective but how abuse of the data by individuals (e.g. false self-reporting or trolling) or by governments – if the public accept this intrusive use of personal data for health reasons in an emergency, would they become desensitised to the UK government using the data for crime prevention, monitor large crowds at events, or to replace the national census (due in 2021)”, said Toni Vitale Head of Data Protection at JMW Solicitors LLP.
The European Union is likely to take a cautious approach to such monitoring, but in other parts of the world tracking is already taking place. In China, the government reportedly worked with a number of tech giants to keep track of the population.
The European Data protection Board (which advises the EU Commission on data privacy) advocates a more cautious approach in Europe. The EDPB advises that public authorities "should first seek to process location data in an anonymous way… which could enable generating reports on the concentration of mobile devices at a certain location".
Whilst it recognises that EEA Member States are entitled to introduce legislative measures to safeguard public security, it points out that if this involves non-anonymised location data then the legislative measure must also put in place adequate scrutiny and safeguards.
These could include providing the right to a judicial remedy. It emphasises that governments should always use the least intrusive solutions possible, taking into account the specific purposes of the legislation. Blanket surveillance is unlikely to be compliant with EU laws even when it is for the public good.”
“These are extraordinary times. Indeed, the human rights framework is designed to ensure that different rights can be carefully balanced to protect individuals and wider societies. Governments cannot simply disregard rights such as privacy and freedom of expression in the name of tackling a public health crisis. On the contrary, protecting human rights also promotes public health. Now more than ever, governments must rigorously ensure that any restrictions to these rights is in line with long-established human rights safeguards” said Vitale.
Human Rights Watch (an international non-governmental organization) has issued an 8-point declaration to balance individual rights and the need for governments to protect public health (https://www.hrw.org/news/2020/04/02/joint-civil-society-statement-states-use-digital-surveillance-technologies-fight_. It has been signed by many international organisations.
Surveillance measures adopted to address the pandemic must be lawful, necessary and proportionate;
New monitoring and surveillance powers must be time-bound, and continue only for as long as necessary;
Data must only be used for the purposes of responding to the pandemic;
Governments must protect people’s data, including ensuring sufficient security;
Governments must address the risk that the tools will facilitate discrimination and other rights abuses against racial minorities, people living in poverty, and other marginalized populations;
If Governments partner with private sector entities, the agreements must comply with the law, and sufficient information to allow public oversight must be publicly disclosed. Such agreements should be in writing, with sunset clauses.
Increased surveillance should not fall under the domain of security or intelligence agencies and must be subject to effective oversight by appropriate independent bodies
Data should be shared with relevant stakeholders, in particular experts in the public health sector and marginalized population groups
Author: Toni Vitale, Partner | Head of Data Protection | JMW Solicitors LLP | jmw.co.uk