The Data Protection Act of 2018 (General Data Protection Regulation) came into force to protect people’s data from being misused. COVID-19 has thrown us into a test of the societal benefits of the regulation. The questions is, is there any noticeable societal benefit?
While guidance has been mixed throughout the pandemic, public health authorities have been extremely consistent in their mantra that testing and contact tracing are the most effective methods to control the spread of the pandemic. So it was surprising that six months ago at the outset of the pandemic, mobile phone contact tracing applications were touted as one of the potential technological breakthroughs. Many governments rushed to begin developing their own. Even the tech giants Google and Apple, in a rare moment of congeniality, worked together to create a notification API for they mobile operating systems that would protect people’s privacy while still allowing contact tracing.
From an application design perspective the Data Protection Law has definitely had an impact. The NHS has followed the principle of Data Protection by Design from the outset. They drafted a Data Protection Impact Assessment and submitted it to the Information Commissioner’s Office (ICO). According to Elizabeth Denham, the ICO provided feedback in areas of transparency and communication – how to better inform individuals about the risks and their rights. It also provided some guidance on the functionality itself in relation to automated decision making and the algorithms that were being used. What’s more government has published the DPIA and made it publicly available.
The NHS has also made three different Privacy Notices:
This layered approach is to be applauded as it allows people to quickly get an understanding and dive down for more information although interlinking them – the easy one is a PDF – would be even more useful. What’s strange though is that on the NHS download page there is no obvious link to these privacy notices and no FAQ specifically addressing the question: “what are you doing with my data?”.
The NHS COVID-19 app had over 1 million downloads in the first 4 days after it’s launch. France’s Stop COVID application launched in June has only achieved that many downloads in almost 4 months. So from that perspective it’s been a success. But for the app to have any beneficial effect at least 7 million people need to download it.
Social media is filled with a lot of people stating that they don’t trust the government with their data. A little surprising to be honest considering the social media platforms that these people use are less transparent with how they’re using and protecting their data then the NHS COVID app is.
Whether or not the Data Protection Act has any impact depends on how much it gets referenced in the messaging. The NHS should be using it as part of their promotion. Referring to the regulation, the data protection assessments used in designing it and making the transparency of data processing front and center.
The Regulation worked. It lead to the creation of a public health application that uses personal minimal data to maximum effect. Now the NHS needs to do the same and make sure it calls this out front and center as part of its campaign so everyone knows the NHS app protect their data, so people can protect yourself and each other.
If they can’t push past the people who are more afraid about data loss than COVID then the 7 million target and the benefit of the app will be hard to realise.