Various news outlets are reporting that the UK government is considering using mobile device users’ location data as a means to monitor the spread of coronavirus and to track their endeavours at social distancing.

Polling suggests that the wider population is generally supportive of implementing extraordinary measures to mitigate the COVID-19 crisis. However, the possibility of increased processing of personal data at a testing time when individuals’ freedoms have already been curtailed as part of the response to pandemic does raise privacy concerns. The civil liberties group, Big Brother Watch, has already warned that the Coronavirus Act 2020, which came into force on 25 March, risks weakening safeguards on mass surveillance powers.

It has been suggested that individuals’ health data could be subject to large-scale processing so that nearby persons that those individuals pass (for example, on a public street when taking permitted exercise) are warned that they have been in the proximity of someone suspected to have coronavirus (an app that performed a similar operation was used in South Korea, where the infection rate has fallen dramatically). This would inevitably require the processing of ‘special category’ data, which is subject to extra protections under the GDPR and the Data Protection Act 2018.

In a recent tweet linked to below, Matt Hancock, the Secretary of State for Health, stated that ‘GDPR does not inhibit use of data for coronavirus response’. It is likely Hancock is thinking of Articles 6(d) and 6(e) and Articles 9(2)(c), 9(2)(g), and 9(2)(i), which do allow for processing of such special category data where this is in the public interest, for public health reasons, and/or for protecting individuals’ ‘vital interests’. If the UK government were to rely on these grounds for such large-scale processing, then users’ consent would not be needed for data to be processed in this way.

However, implementing such processing is not without risk: if rolled out too quickly, it would be all too easy for such wide-scale processing of special category data to contravene core principles of the GDPR, such as ensuring data is not kept for longer than it should and being transparent about the way it is processed. Another key tenet of the legislation is that personal data must be kept up to date, and it is not difficult to imagine how this might be a challenge to do for large swathes of the country’s population with regard to each person’s health status. Individuals may not be able to object to this processing if, as is likely, it can be demonstrated that there are legitimate grounds for the processing that override individual rights and freedoms. Furthermore, while the initial use of the data might be for the purposes of protecting individuals’ vital interests, there is a risk that such data might then be subjected to further use and processing for other purposes.

If data can be anonymised before it is processed in the ways discussed, this might be a solution, since truly anonymised personal data falls outside of the GDPR’s scope. The European Data Protection Board has recommended that, in the first instance, public authorities should endeavour to process location data in an anonymous way. However, a recent news report has mentioned the possibility of reversing the anonymisation of such data in order to identify specific virus-carrying individuals. This would be a significant concern for the privacy of those individuals.

Notwithstanding the above, a careful balance will need to be maintained between individual rights and the needs of public protection during this pandemic. It is important to remember that the GDPR and the Data Protection Act 2018 still apply to UK public authorities and to private organisations, and even during this public health crisis, any project involving the processing of personal data is expected to comply with this legislation.