Privacy notices are not generally the source of dinner table conversation. However, the NHSX contact tracing app privacy notice could (and arguably should) be an exception.

The underlying purpose of a privacy notice is to ensure that individuals or organisations that collect and use personal information are transparent about what they are doing with it. 

The UK Government’s plan to deploy a contact tracing app as part of its strategy to bring the country out of COVID-19 lockdown has triggered much debate about the processing of the public’s personal data.

As discussed in our recent article, we understand that progress is being made with NHSX’s app, with a trial underway on the Isle of Wight and the UK’s data protection regulator paying close attention to any privacy implications.

At the time of writing, a question remains whether the data collected will centralised under Government control or will it be disconnected and disparate, stored at device level only. With such technical details of how the app will work still in short supply it’s not surprising that a NHSX privacy notice is not yet available for public consumption. However, assuming that an app is ultimately launched these are some of the key points in the privacy notice that will likely be scrutinised:

  • Identity of the controller – it’s anticipated that NHSX will be identified as the controller of any personal data collected using the app. It’s the controller that primarily determines the “why” and “how” in terms of data processing. Importantly, it’s the controller that is ultimately responsible for the data processing and is the party that should be responding to individuals and regulators when things go wrong.
  • What data is collected – the notice should clearly set out what personal data is collected and processed when using the app. The law requires that the collection and processing of personal data is minimised to only what is necessary. Understandably there will be sensitivity about the extent of location information processing.
  • Purposes for processing personal data – individuals must be provided with details of why the data is to processed. Of course, we can expect this to include aiding public health through contact tracing. However, additional purposes will likely warrant greater scrutiny particularly from those with concerns about Government surveillance although we understand that for now, there will not be a system for monitoring location data.
  • Who the data is shared with – with Cambridge Analytica’s purported use of Facebook as a source of data for political purposes, there will be great interest in who will have access to data collected by the app. The notice must include details of any third parties (e.g. tech companies) that process data collected and whether data is transferred outside the EEA.
  • How long the data will be kept – it’s been reported that Harriet Harman’s proposed Contact Tracing (Data Protection) Bill includes a requirement that any data collected using the app is deleted after the pandemic. Determining such a date could be challenging. In the absence of the Bill, we can expect NHSX to provide information on how long it considers it necessary to retain the data for the purposes for which it was originally collected.

We anticipate that much of this information will be made available before an app privacy notice is publically launched. However, it will be interesting to see whether the NHSX contact tracing app privacy notice proves to be a model example of how GDPR transparency obligations should be met by organisations collecting personal data or the source of further discussion.

This post was written by Ian Bond.