Health secretary Matt Hancock has refused to adopt a proposed bill that would guarantee the security and privacy of data generated by the controversial NHS Covid-19 contact-tracing app and appoint a commissioner to oversee and review it, saying existing protections are sufficient.
The Contact Tracing (Data Protection) Bill was drafted in the Joint Human Rights Committee following intense scrutiny of how the app works, and put forward by its chair, former deputy Labour leader Harriet Harman. The committee believes that existing law, centring on the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and established case law, was never intended to deal with the concept of contact tracing.
“This is a wholly new area of data collection and therefore we need not the failed mishmash of protections that’s currently existing, we need a new bespoke bill,” Harman told a press conference on 19 May 2020.
In a letter dated 21 May, Hancock said he had every confidence that the contact-tracing app was in compliance with the law and the information governance standards expected of UK public services.
“I do not consider that new legislation is necessary to govern contact tracing,” wrote Hancock. “I am firmly of the view that existing legislation provides the necessary powers, duties and protections. In accordance with those checks and balances, we are already taking all necessary steps to ensure the app operates in a fair and transparent way and protects any data that the app collects from a user.
“Participation in contact tracing and use of the app is voluntary and we will ensure that an app user understand fully how their data will be collected, used and protected throughout their time using the app.
Hancock said that both the Data Protection Act 2018 and the Human Rights Act 1998, the government’s “commitment” to transparency, and other commitments he had made himself, would be enough to ensure the high levels of security and privacy needed to ensure people feel comfortable downloading and using the app.
This is in spite of remarks by Harman to the effect that personal commitments and assurances made by a minister did not constitute any kind of guarantee or offer any justification for members of the public to trust Hancock.
Hancock said: “There is rigorous governance in place, including senior responsible owners for each delivery workstream, and robust equality and data protection measures are being built into the design of the programme, including the app.
“We will continue to work with the Information Commissioner’s Office and the National Cyber Security Centre and use our Ethics Advisory Board to review our processes, provide rightful challenge and informed advice as the test and trace programme is rolled out nationally in the coming weeks.”
Hancock also talked up the appointment of Dido Harding to lead the wider test and trace programme – it was Harding who, as CEO of ISP TalkTalk, presided over a major data breach in which the personal details of over four million customers were accessed. Harding went on to be made a baroness, and is married to a sitting Conservative MP.
Read more about the Contact Tracing (Data Protection) Bill
- Chair of Human Rights Committee aims to put the proposed Contact Tracing (Data Protection) Bill 2020 before parliament as a private member’s bill if necessary.
- Human Rights Committee chair Harriet Harman has outlined a proposed bill to guarantee the security and privacy of data generated by the UK’s Covid-19 contact tracing app.
- Reassurances over the security and human rights implications of NHSX’s approach to developing its Covid-19 contact-tracing app are insufficient, says the cross-bench Human Rights Committee.
Harman has sought permission from Commons leader Jacob Rees-Mogg to introduce a private member’s bill into parliament.
However, Emma Burnett, a partner at law firm CMS, said the call for additional legislation was a red herring, masking the real problem of a lack of awareness around the law as it exists, and branded Harman’s understanding “flawed”.
“The UK already has a comprehensive, robust set of rules and safeguards in place, which need to be better understood and explained,” said Burnett. “Consumers need firm reassurance that their personal data is already adequately protected under the GDPR and cannot be used for any other purposes without the individual’s knowledge.
“The main reason for an app of this kind is to provide more freedom and a safer way to ease out of lockdown. If the public are deterred from downloading it, this could prolong restrictive lockdown, which in itself could place far greater restrictions on an individual’s freedom than any voluntary downloading of an app would do.”
Harman’s office had not responded to a request for comment at the time of writing.