Earlier today, the BBC reported the latest in an increasingly long line of problems to have plagued the country's COVID-19 ‘Test and Trace’ programme: it has not complied with the General Data Protection Regulation (GDPR).
Following a legal challenge from privacy campaigners, the Department of Health has admitted that the programme, which aims to trace contacts of those infected with COVID-19 in order to prevent further spreading of the virus, was launched without any Data Protection Impact Assessment (DPIA) having been undertaken.
But what exactly is a DPIA and when is one needed?
A DPIA is a process designed to assess whether a proposed activity that involves processing personal data is necessary and proportionate. It should be used to assess and manage any risks to the rights and freedoms of individuals that might result from that processing activity by determining ways of addressing them. DPIAs are key tools in demonstrating a business’s compliance with its accountability obligations under the GDPR.
The GDPR requires that DPIAs be carried out if any processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Guidance on the matter recommends considering the need for a DPIA if a business plans to:
- process any ‘special category’ personal data on a large scale, as is the case with the ‘Test and Trace’ programme (health data constitutes ‘special category’ personal data);
- implement any automatic decision making or profiling that significantly affects the person whose data is processed (for example, to provide or refuse a service to that person);
- systematically monitor individuals (for example, via CCTV);
- deploy innovative technology that uses personal data (for example, facial recognition software implemented at offices to enable access to certain areas); and/or
- process personal data of vulnerable individuals (which might include employees) where there is an imbalance of power in the relationship and, consequently, those individuals have no genuine option to object.
DPIAs should be considered at the start of any new project that fits one or more of the above criteria, so that potential risks to the relevant personal data are addressed in advance of implementation (which is what the Department of Health failed to do in this case).
If your business has already undertaken a DPIA in respect of a processing activity, it will need to review that DPIA periodically (and ideally at least once every 2 to 3 years), particularly if there is any change in the context or nature of the processing.
Undertaking a DPIA will not only help your business demonstrate accountability and compliance with a GDPR, but will also build trust amongst those whose personal data is processed. This is much easier to lose than it is to gain. The risk to the UK government posed by this latest development is that fewer UK citizens, having lost confidence in its handling of their personal data, may participate in the Test and Trace scheme. Without significant participation across the population, the country is unlikely to have an effective contact tracing system.
[The ICO] added that, while it recognised the urgency in rolling out the programme, if the public were to have confidence in handing over their data and that of their friends, "people need to understand how their data will be safeguarded and how it will be used".