GDPR "inadequate" to protect against contact-tracing privacy risks

MPs and Lords demand new law to guarantee protections for any contact-tracing tech

Parliamentarians have called for the government to adopt urgent legislation to protect UK citizens' privacy when they download a widely-touted contact-tracing app.

Existing laws and frameworks are unfit-for-purpose, according to the chair of the Joint Committee on Human Rights Harriet Harman MP, whose cross-party panel of MPs and Lords have examined plans to introduce contact-tracing technology.

GDPR is "wholly inadequate", the Labour veteran has claimed, because the consent-based model of data protection doesn't lend itself to an entirely new area of data harvesting that the processes involved in powering contact-tracing demand.

The committee, as a result, has produced its own draft Bill for the government to consider, establishing a framework that safeguards user data specifically with regards to any contact-tracing software introduced. 

“We did a report before the last election looking at the protection of data in the digital age,” Harman told journalists during a conference call. “We heard evidence that even those people who were gathering the data didn’t have full sightlines all the way through to know what was being gathered.”

“We found the current system for data protection wholly inadequate even for the gathering of data that was at that point being carried out. This is a wholly new area of data collection and therefore we need not the failed mish-mash of protections that currently exist, we need a new, bespoke bill.

Currently, data protection and privacy guarantees are offered based on a spread between GDPR, the Data Protection Act 2018, case law on privacy, and principles outlined in the European Convention on Human Rights. The setup amounts to “tangled law” that never envisaged anything amounting to the contact-tracing technology about to be rolled out.

The MP was also critical of the health secretary Matt Hancock who hasn’t yet responded to the committee’s request for the government to consider the legislation, despite suggesting in a letter that individuals would be given assurances their data is safe. A letter, Harman added, does not equate with legal protections.

The contact tracing app is voluntary but requires a certain proportion of the public to download it in order to be effective in controlling the spread of the virus, thought to be between 60-80%. Implementing legislation to guarantee safeguards against any potential breach of privacy would go some way toward reassuring the public against potential data misuse.

Regardless of whether the app being developed pursues a centralised or decentralised model, the Bill would outline specifically the purpose of gathering data for contact-tracing, who can access the data, and also ensure the deletion of data once the system is no longer needed.

The Bill would also introduce a contract-tracing Tsar that would oversee complaints. That function has traditionally been exercised by the Information Commissioner’s Office (ICO), although Harman insists the data regulator is not well-equipped to handle the legality of any contact-tracing system. This is due to a fundamental flaw in the way the ICO was established. 

“The way we set up the Information Commissioner is we gave the office responsibility both to advice but also to enforce, and actually, that can be bordering on conflict of interest,” the committee chair continued.

“Because if you’ve been advising, which the Information Commissioner has been, about the setup of the system, then you kind of are vested in it, and you need a clean pair of eyes to actually look at it.”

Since the government first revealed its intentions to develop a contact-tracing app, organisations have lined up to voice their concerns over the potential for privacy infringements, particularly with regards to the centralised model. 

Amnesty International, for example, recently expressed concern that the government may be planning to route private data through a central database, which would open the door to “pervasive state surveillance”. 

The claim that GDPR is unfit-for-purpose to protect against contact-tracing privacy risks has been made almost two years since the toughest data protection laws to date came into force.

Since its implementation, despite the promise of hefty fines for data protection violations, very little has been collected and few cases have reached conclusion. This is despite mounting complaints, especially on the doorstep of the Irish Data Protection Commission (DPC) and even ‘intentions to fine’ issued by the ICO against BA and Marriot for data breaches in 2018.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020