https://orcid.org/0000-0003-1130-490X
![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
With the objective of controlling the spread of the coronavirus, the UK has decided to create and, in early May 2020, was live testing a digital contact tracing app, under the direction of NHS X, a joint unit of NHS England and NHS Improvement. In parallel, NHS X has been building the backend datastore, contracting a number of companies. While the second iteration of the app should integrate a more privacy-friendly design, the project has continued to be criticised for its potential to increase government surveillance beyond the pandemic and for purposes other than tracing the spread of the virus. While I share these concerns, I argue that equal attention should be given to the collaboration between NHS X and the private sector because it has the potential to magnify the illegal collection and sharing of data. Systematic enforcement of the General Data Protection Regulation (GDPR) in the private sector would disrupt the current dynamics hidden in plain sight.
KEYWORDS:
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 Three types of apps are developed or already in use: symptom tracking, digital contact tracing apps, and immunity certificate apps. Some countries rejected the use of apps, Strauss, Citation2020.
2 The UK Data Protection Act 1998 implemented the Directive. The Data Protection Act 2018 replaced the DPA 1998.
3 Articles 5 and 6 GDPR, very similar to Articles 6 and 7 Directive.
4 Article 9 GDPR, former Article 8 Directive.
5 Article 25 GDPR explicitly requires data protection by design; ICO, Guidance on GDPR.
6 Article 28 GDPR; ICO, Guidance to the GDPR.
7 Article 35 GDPR
8 Recital 4 GDPR; the ICO Elizabeth Denham (Joint Committee on Human Rights Citation2020a, Citation2020c, 21).
9 Recital 4 GDPR; Recital 2 Directive (‘to serve man’).
10 The NCSC and GCHQ have been consulted on the cybersecurity implications of this centralised approach (Levy Citation2020). On the risks beyond security, not the least privacy, Michael Veale (Joint Committee on Human Rights. Citation2020c, 1–2, 4–5, 19)
11 Only two official statements -of 28 March and 28 April 2020-, with information added when Matthew Gould, head of NHS X, testified before the House of Commons Science and Technology Committee on 28 April 2020, and the Joint Committee on Human Rights on 4 May 2020.
12 Prof Lilian Edwards (House of Commons Science and Technology Committee. Citation2020, Q362).
13 Compare with the Surveillance Camera Commissioner’s DPIA template drafted with the ICO (Surveillance Camera Commissioner Citation2020).
14 Like the UK, the French app uses a centralised approach.
15 Spain, Switzerland, Germany; thus the UK is an outlier (Joint Committee on Human Rights. Citation2020a).
16 Work at Berkeley Android operating system (75% of the smartphone market) is starting to unravel the hidden – legal and illegal- data flows. See Networks Citation2020; Vallina-Rodriguez and Sundaresan Citation2017; Vallina-Rodriguez et al. Citation2016.
17 As the French Government did, through its draft statutory instrument, in application of primary legislation.
18 Co-operation with the private sector is a more effective option to harness the benefits of digital technologies, as demonstrated for cybersecurity, see Guinchard Citation2018.
19 But it will not resolve some issues of data sharing facilitated by other legislations, as correctly pointed out by Michael Veale (Joint Committee on Human Rights. Citation2020c, 8).
20 Hence the draft Bill requiring publication and a consultation period of minimum 2 weeks. (Edwards et al. Citation2020)
21 The ICO did not see the conflict, in Joint Committee on Human Rights. Citation2020c, 15–16.