Draft Covid-19 contact tracing legislation proposes formal oversight

Parliament’s Joint Committee on Human Rights has again appealed to health secretary Matt Hancock to address privacy and data protection concerns arising from the government’s Covid-19 contact-tracing app with new legislation, proposing formal oversight from a new digital contact tracing human rights commissioner.

In a letter to Hancock, the committee’s chair Harriet Harman said the Human Rights Committee disagreed with his assessment that primary legislation is not necessary to guarantee privacy in the contact-tracing app.

Harman described the current law as an “unsatisfactory mishmash” that spread across the Data Protection Act of 2018, Article 8 of the European Convention on Human Rights, the European Union (EU) General Data Protection Regulation (GDPR) and established case law on the right to privacy.

“That, as our report last year affirmed, has already proved inadequate to protect the individual from misuse of their data. But the contact tracing app is a more significant data collection mechanism that anything envisaged hereto,” said Harman.

“The assurances you give in your letter would be better in bespoke legislation and to assist we have produced a draft Bill.

“It is not our intention to delay the roll out of the contact tracing app due in the next couple of weeks after the Isle of Wight pilot. But we believe that parliament could quickly and consensually pass this law. It has already done that in giving the government the powers it needs for tackling this pandemic,” she said.

The proposed Contact Tracing (Data Protection) Bill 2020 provides for the “regulation of the processing of information in respect of contact tracing for Covid-19, and for connected purposes”.

The new Digital Contact Tracing Human Rights Commissioner, who would have to be appointed within 28 days should the Bill receive Royal Assent, would be tasked with reviewing the application to digital contact tracing of privacy, data protection and human rights law, the processing of said data by ministers and public bodies, the security of the contact tracing systems, risks associated with the potential identification of individuals, and whether or not digital contact tracing is still necessary and proportionate.

The Bill also calls for the Commissioner to establish a formal complaints procedure – as per section 165 of the Data Protection Act 2018.

In terms of the data itself, Harman’s Bill makes it an offence for unauthorised people – that is to say anybody who is not the secretary of state or someone specified by them – to collect or process contract tracing data, and they must not do so other than for a permitted purpose.

It will be incumbent on the secretary of state to take all reasonable steps to ensure that the app’s backend processing systems process no more data than is needed for permitted purposes, and are secured, this last clause to be assessed and reviewed by the National Cyber Security Centre (NCSC).

It will also become an offence for anybody to knowingly or unknowingly re-identify the de-identified contact tracing data.

In terms of data collection and deletion, the Bill clarifies that the app will have to seek consent from each person who downloads it, and that the data generated be deleted from devices as soon as is practicable.

The app will furthermore be reviewed 21 days after the Bill gains Royal Assent – if it does – and at least once during each successive 21 day period, with each review considering whether contact tracing has been effective, the potential for breaches of the Equality Act 2010, the potential for breaches of European Convention rights such as they exist under the Human Rights Act 1998, any complaints received, and an overall assessment of cyber security.