Digital Contact Tracing Updates from the Human Rights Committee

11 May 2020 by

The Human Rights Committee, reviewing NHSX’s current digital contact tracing app architecture, has recommended that the government’s current privacy assurances are not sufficient to protect data privacy and that legislation must be passed to ensure that. This echoes Professor Lilian Edwards’ call for primary legislation to ensure privacy rights are protected. These recommendations are given special significance NHSX’s choice to adopt the controversial and arguably less secure “centralised” model (an explanation of the different contact tracing models and Prof Edwards’ suggested legislation can be found here). 

The proposed legislation, found here, states in writing the Human Rights Committee view that the app would necessitate the creation of a ‘Digital Contact Tracing Human Rights Commissioner’ (DCTHRC). The DCTHRC would be a position analogous to the Information Commissioner: it would review the privacy safeguarding and human rights implications of digital contact tracing. The DCTHRC would be responsible for overseeing the collection and processing of any contact tracing data, compliance with privacy and human rights law, and deciding, at any given point, whether digital contact tracing remains a proportional response to the crisis (i.e. whether the whole project should be scrapped and the data deleted). 

The Bill suggests various data protection mechanisms. It makes it an offence to “knowingly or recklessly re-identify de-identified contact tracing data” (9(5)). The idea behind this clause is that specific pieces of data which the app would collect, such as contacts and postcodes, could be combined with other data to “re-identify” individuals with “de-identified” data. If I know that user #5 lives in a certain postcode and that they’ve been in regular contact with another user during the day, and another at night, I may be able to work out where #5 lives and works, and therefore who they are. It’s for this reason that contact tracing data cannot be considered “anonymous” under GDPR, and makes privacy and security particularly important. 

The bill also specifies the need for the user’s consent in any processing of data. Clause 11 specifies that “Digital contact tracing data may not be collected from a mobile device unless each person who owns or operates the device has given consent”. The idea is that, upon getting a positive diagnosis, the user of the phone would still have to consent to uploading that diagnosis to the central system. However, as some have pointed out, under a centralised contact tracing system, phones upload contacts between people. As such, when one consents to upload their data, one is also uploading the data of all one’s contacts. Essentially, any time someone with a positive diagnosis uploads their contacts to the central server, they have uploaded personal data about all the people they have been in contact with (i.e., both the contact and their risk of contracting COVID19) without their consent. This seems to be an issue inherent to the centralised model. 
It appears likely that legislation of this kind will be passed in the near future, given that it has support from the Human Rights Committee and several senior Conservative party MPs. Meanwhile, the government is developing a second, decentralised contact tracing app. The government’s centralised app strategy could change to favour the second app, dependent on the outcome of the currently ongoing trial at the Isle of Wight.

Rafe Jennings is a regular contributor to UKHRB

The Society for Conservative Lawyers will be running a webinar on contact tracing apps on Wednesday this week (13 May). The leaders of this webinar include Guy Mansfield QC (Lord Sandhurst), formerly of 1 Crown Office Row, whose previous papers on this project we have published on the UKHRB. Here’s a taster:

In their paper, Contact Tracing – what Government must do to achieve take-up and secure privacy, Lord Sandhurst QC, Benet Brandreth QC and Simon PG Murray argue that the NHS scheme for a contact tracing App to fight the spread of COVID-19 must be safeguarded by Parliament to ensure that it is not abused and cannot lead to overreach beyond this specific Emergency. 

The panel will also include Professor Lilian Edwards, Professor of Law, Innovation and Society at Newcastle Law School, and Joe Robertson, a lawyer who just happens to live on the Isle of Wight where the app is being trialled. The panel will discuss the practicality of the roll out on the Isle of Wight and look at the implications of the wider use of the App.

Welcome to the UKHRB


This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates


Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories


Tags


Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus costs costs budgets Court of Protection crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges Obituary parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy Professional Discipline Property proportionality Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe

Disclaimer


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: