GDPR "inadequate" to protect against contact-tracing privacy risks

MPs and Lords demand new law to guarantee protections for any contact-tracing tech

Parliamentarians have called for the government to adopt urgent legislation to protect UK citizens' privacy when they download a widely-touted contact-tracing app.

Existing laws and frameworks are unfit-for-purpose, according to the chair of the Joint Committee on Human Rights Harriet Harman MP, whose cross-party panel of MPs and Lords have examined plans to introduce contact-tracing technology.

Advertisement - Article continues below

GDPR is "wholly inadequate", the Labour veteran has claimed, because the consent-based model of data protection doesn't lend itself to an entirely new area of data harvesting that the processes involved in powering contact-tracing demand.

The committee, as a result, has produced its own draft Bill for the government to consider, establishing a framework that safeguards user data specifically with regards to any contact-tracing software introduced. 

“We did a report before the last election looking at the protection of data in the digital age,” Harman told journalists during a conference call. “We heard evidence that even those people who were gathering the data didn’t have full sightlines all the way through to know what was being gathered.”

“We found the current system for data protection wholly inadequate even for the gathering of data that was at that point being carried out. This is a wholly new area of data collection and therefore we need not the failed mish-mash of protections that currently exist, we need a new, bespoke bill.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Currently, data protection and privacy guarantees are offered based on a spread between GDPR, the Data Protection Act 2018, case law on privacy, and principles outlined in the European Convention on Human Rights. The setup amounts to “tangled law” that never envisaged anything amounting to the contact-tracing technology about to be rolled out.

The MP was also critical of the health secretary Matt Hancock who hasn’t yet responded to the committee’s request for the government to consider the legislation, despite suggesting in a letter that individuals would be given assurances their data is safe. A letter, Harman added, does not equate with legal protections.

The contact tracing app is voluntary but requires a certain proportion of the public to download it in order to be effective in controlling the spread of the virus, thought to be between 60-80%. Implementing legislation to guarantee safeguards against any potential breach of privacy would go some way toward reassuring the public against potential data misuse.

Advertisement - Article continues below

Regardless of whether the app being developed pursues a centralised or decentralised model, the Bill would outline specifically the purpose of gathering data for contact-tracing, who can access the data, and also ensure the deletion of data once the system is no longer needed.

The Bill would also introduce a contract-tracing Tsar that would oversee complaints. That function has traditionally been exercised by the Information Commissioner’s Office (ICO), although Harman insists the data regulator is not well-equipped to handle the legality of any contact-tracing system. This is due to a fundamental flaw in the way the ICO was established. 

“The way we set up the Information Commissioner is we gave the office responsibility both to advice but also to enforce, and actually, that can be bordering on conflict of interest,” the committee chair continued.

“Because if you’ve been advising, which the Information Commissioner has been, about the setup of the system, then you kind of are vested in it, and you need a clean pair of eyes to actually look at it.”

Advertisement - Article continues below

Since the government first revealed its intentions to develop a contact-tracing app, organisations have lined up to voice their concerns over the potential for privacy infringements, particularly with regards to the centralised model. 

Amnesty International, for example, recently expressed concern that the government may be planning to route private data through a central database, which would open the door to “pervasive state surveillance”. 

The claim that GDPR is unfit-for-purpose to protect against contact-tracing privacy risks has been made almost two years since the toughest data protection laws to date came into force.

Since its implementation, despite the promise of hefty fines for data protection violations, very little has been collected and few cases have reached conclusion. This is despite mounting complaints, especially on the doorstep of the Irish Data Protection Commission (DPC) and even ‘intentions to fine’ issued by the ICO against BA and Marriot for data breaches in 2018.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020