jirsak - stock.adobe.com

GDPR wholly inappropriate to govern contact-tracing data

Human Rights Committee Chair Harriet Harman says current data protection law is not up to the job of governing the data collected by the Covid-19 contact-tracing app

Labour MP and chair of the Joint Committee on Human Rights, Harriet Harman, has branded the European Union (EU) General Data Protection Regulation (GDPR) wholly inadequate for ensuring the security and privacy of data collected by the government’s under-test Covid-19 coronavirus contact-tracing app.

Speaking at a virtual press conference, Harman said that even before the pandemic, the committee had taken the view that the current system of data protection in the UK was not good enough, but that this rang even more true today.

“This is a wholly new area of data collection and therefore we need not the failed mishmash of protections that's currently existing, we need a new bespoke bill,” said Harman.

“Currently the protection is spread between the GDPR, the Data Protection Act 2018, case law on privacy and the European Convention on Human Rights, and it’s a tangle of law which never envisaged the sort of contact-tracing app that is now about to be brought in. So a bespoke law that goes alongside this new app is exactly what is needed,” she said.

Harman has already expressed these concerns to health secretary Matt Hancock, and offered up a draft bill – the Contact Tracing (Data Protection) Bill 2020 – as a fully formed piece of legislation ready for the government to put forward. She has received a reply from Hancock saying that data security and privacy will be protected.

However, she said, Hancock’s assurances over data security and privacy did not amount to a satisfactory guarantee.

“He’s given that assurance, but actually a letter does not provide any protection, even a letter from Matt Hancock. A bill does, it needs to be in law,” she said.

“I just don’t think assurances, however well-motivated and genuinely given, cut the mustard. A minister’s letter is not legal protection. It’s not a framework within which public agencies work – public agencies work within a framework of law, of legal duties and obligations,” said Harman.

“So when he [Hancock] says we’ll make clear that it will be used to help understand and manage the pandemic, he’s simply saying, trust us, we’ll make it clear that that’s what it will be used for.

“The gap between what that offers by way of assurance and the certainty of what is necessary is just far too wide…Matt Hancock is on the same page in terms of recognising that there needs to be protections. He just seems to think that his letter is protection enough, and it manifestly isn’t, and my worry is that they’re going to wake up to this too late,” she said.

Harman conceded that the government is clearly overloaded but said that her cross-bench committee had been able to come to agreement that legislation was necessary, so it was to some extent a no-brainer that the government should adopt the bill.

Harman is currently seeking permission from Jacob Rees-Mogg, the leader of the House of Commons, to introduce her bill as a private members’ bill – this is necessary because, due to the pandemic, there is currently no mechanism to do so in the normal manner.

She added that even though the committee had said the development of the contact-tracing app should not go ahead without appropriate legislation in piece, she personally would download it, even without the bill having passed.

Read more about contact-tracing

Read more on Privacy and data protection

Data Center
Data Management