Protecting privacy during a pandemic: our work on the UK’s Covid apps
Information Commissioner's Office
The Information Commissioner's Office (ICO) exists to empower you through information. www.ico.org.uk
Ian Hulme?is the ICO's Director of Regulatory Assurance. He led our operational response to the pandemic and leads our stakeholder relationships with the health and care sector.
The ICO’s work is often in the headlines, and our?recent enforcement action ?against TikTok for allowing over a million UK children to use its platform without parental consent brought international media attention.
In practice, the majority of our work to protect people’s privacy rights has a far lower profile. Making sure people are considering data protection at an early stage, and providing the advice and support to ensure privacy protections are built into new services is less glamorous, but very effective.
Our work with the Department of Health and Social Care and Welsh Government around the NHS Covid app is a prime example. The app will be officially decommissioned on Thursday, after a fall in the number of users across England and Wales. It marks the end of a journey that began in the pandemic, and saw as many as 30 million people download the app.
领英推荐
The ICO offered advice and support to DHSC from the start, recognising the vital role that data played in navigating the pandemic and our responsibility, as a regulator, to protect people’s privacy during the development of new technology. Given the unprecedented circumstances, our teams worked hard to ensure that data protection law wasn’t a barrier to this innovation and privacy considerations were built into the lifecycle of the app – from design to decommission.
We were the first data protection authority to share a formal?Opinion ?on the joint Google-Apple contact tracing API, just days after it was first published in April 2020. This was shortly followed by our?data protection expectations for app development ?that served as a touchpoint throughout the pandemic. As the app’s functionality evolved, we continued to engage with DHSC and Welsh health bodies to ensure privacy and transparency were considered every step of the way.
Decommissioning was a key part of our expectations for the NHS Covid app. We made it clear to the Department of Health and Social Care that for people to have confidence in the app, they must be able to trust that their data would be deleted once the app was no longer required. We’re pleased that our work, started in March 2020, has helped to protect millions of people across the UK.
The same approach brought similar benefits across the UK. In Scotland, we offered advice and support on the development of the Protect Scotland app and in Northern Ireland, we provided advice and support on the development of the StopCovidNI app. Both proximity tracing apps followed the design principles set out in our expectations document and in line with these expectations, the Scottish app was decommissioned in April 2022 and the NI app was decommissioned in June 2022.
It’s an approach we continue to take today, working closely with organisations to support them to get data protection right from the start when creating new products and services. Our enforcement work may get the headlines, but it is the influence we can have over crucial moments behind the scenes that allows us to make the biggest difference.
Extensive experience across HMP Service (Governor),the National Probation Service (drug specialist), Surrey Police (Secondee Probation officer working alongside DIU) to divert prolific nominals away from crime,
1 年You failed me. You supported epistemic violence by Surrey County Council. They used a lawful basis that isn’t even listed in the DPA 2018. ICO Caseworker action in respect of Article 21 Objection to processing - nothing. Surrey County Council changed lawful basis 5 times. ICO Caseworker action in respect of Article 21 Objection to processing - nothing. Surrey County Council then gave the ICO a lawful basis that isn’t in their ASC Privacy Notice. ICO Caseworker action in respect of Article 21 Objection to processing - nothing Data subject identifies compelling medical grounds for erasure, supported with letters from Consultants, Chied Medical Officers, GP etc Surrey County Counills DPO Heidi Judd lies to the ICO and states their compelling reason is to comply with the Care Act 2014…only the Chief Operating Office for ASC had already written to inform the Data Subjectbthe Care Act 2014 was not triggered and wasn’t applicable. ICO caseworker - states oh, the Councils lawful basis was the Care Act 2014….so the same Care Act 2014 that was not triggered and couldn’t be used. great ?????? well done ICO Cade worker…sound work. You are as bad as the authority and you are contributing tomepistemic violence,