www.openrightsgroup.org Open in urlscan Pro
2a00:1098:71::3  Public Scan

Form analysis
1 forms found in the DOM

GET /search

<form action="/search" method="get">
  <label for="search">Search</label>
  <input id="search" name="q" type="text" value="">
</form>

Text Content

 * Who We Are
 * What We Do
 * Blog
 * Donate
 * Join ORG

Home Press Releases ORG report finds that ICO failed to hold the government to
account over use of public health data during pandemic

25 May, 2023


ORG REPORT FINDS THAT ICO FAILED TO HOLD THE GOVERNMENT TO ACCOUNT OVER USE OF
PUBLIC HEALTH DATA DURING PANDEMIC

ORG’s new report exposes failures by the Information Commissioner’s Office (ICO)
in protecting the public privacy and data rights during the Covid-19 pandemic.




FAILURE TO ACT

Data privacy and the Information Commissioner’s Office During a Crisis analyses
the ICO’s role in relation to three key Covid-19 health programmes:

 * NHS Test and Trace
 * NHS Contract Tracing App
 * NHS Datastore.

Our report finds that the ICO repeatedly failed to take action over clear
breaches of data protection law by the government. The ICO’s decision to act as
a “critical friend” meant that it was left to civil society and the media to
challenge the government over a lack of transparency and accountability,
excessive retention of data, missing and late Data Protection Impact Assessments
(DPIAs), and the involvement of private companies without proper safeguards.

As a result of these failings, there are concerns that the large datasets
created during the pandemic could still be used in new and unexpected ways in
the future. Data sharing agreements with private companies like Palantir have
allowed private corporations to take advantage of the pandemic to siphon
sensitive data from national public health databases. Last month, Open Democracy
reported that hospitals are being forced to share patients’ data multinational
corporations like Palantir.


THE FUTURE OF DATA PROTECTION IN THE UK

The report provides further evidence that the Data Protection and Digital
Information (DPDI) Bill should be dropped because it would further undermine the
independence of the ICO. The Bill also presents a clear threat to the UK’s data
protection framework when in fact the UK needs more robust data governance and
accountability requirements, and stronger GDPR complaint mechanisms.

Policy Manager, Abigail Burke, said:

“The pandemic presented a unique set of difficulties for government but this
does not excuse the general disregard for our privacy rights displayed by
government and permitted by the ICO.

“The ICO’s failure to enforce data protection law undermined public trust at a
time when it was desperately needed. We are still feeling the implications of
this negligent data governance with the continued sharing of public health data
with companies such as Palantir.

“With the government attempting to weaken data protection rights through the
Data Protection and Digital Information Bill, it is more important than ever
that the UK has a strong and independent data protection authority that is
willing to stand up to the government, public bodies and corporations.”


ABOUT THE REPORT

The report analyses use of data in three key Covid-19 health programmes NHS Test
and Trace, NHS Contract Tracing App and the NHS Datastore. It compares the ICO’s
response to that of other European data protection authorities and UK
regulators; analyses the future impact of new changes to data protection law;
and sets out policy recommendations for the government and ICO.


KEY FINDINGS

 * Public health programmes were deployed unlawfully, and underpinned by
   negligent data governance. All three programmes failed to comply in full with
   the requirement in Article 35 GDPR for DPIAs. This was most notable for Test
   and Trace and for the Datastore, where no DPIA was entered into with
   providers prior to entering in agreements with them. Had they complied with
   the law, some of the subsequent data breaches could have been prevented.
   These included confidential contact tracing data being leaked on social media
   channels by Test and Trace personnel, being abused to harass women, or being
   lost due to being stored on an excel sheet.

 * The ICO acted as a “critical friend” and did not enforce the law effectively,
   which led to these programmes falling short of important safeguards and data
   protection requirements. This exposed the public to significant risks and
   harms as outlined above. This approach contributed to the delay to the
   rollout of the Covid-19 app after the government ignored the ICO’s advice
   about a decentralised app.

 * The ICO was absent from data protection conversations when it was needed
   most, most notably from discussions regarding the NHS Data Store, and
   continues to have a limited, hands-off approach to the Federated Data
   Platform. This has left civil society and the public to fill the regulatory
   and oversight gap and ask challenging questions.

 * The ICO was ill-prepared to deal with an emergency compared to other UK
   regulators, such as the Financial Conduct Authority (FCA) and other European
   data protection agencies, who took action to ensure that their government’s
   pandemic programmes complied with data protection law.

 * The DPDI Bill will weaken the UK GDPR’s accountability framework.

 * The DPDI Bill will water down the statutory function of the ICO and threaten
   its independence.

--------------------------------------------------------------------------------


FIND OUT MORE


DATA PRIVACY AND THE INFORMATION COMMISSIONER’S OFFICE DURING A CRISIS

Lessons learned from the Covid-19 pandemic.

Read the full report


ATTEND THE LAUNCH EVENT

Join us for the online launch of our report into how your confidential medical
data was handled during the COVID-19 pandemic.

Register Now
Search

OPEN RIGHTS GROUP

 * ORG Scotland
 * Corporate Supporters
 * Finances
 * Anti-Harassment Policy
 * ORG Wiki
 * Jobs
 * FAQ

WHAT WE DO

 * Campaigns
 * Events
 * Publications
 * Sign up to hear the latest

PRESS

 * Press Enquiries
 * Press Releases



CONTACT

The Society of Authors, 24 Bedford Row, London, WC1R 4EH

 * Contact us

 * Twitter
 * Facebook
 * YouTube
 * Mastodon
 * Reddit



--------------------------------------------------------------------------------

2005 – 2023, free to reuse except where stated. Credits

Open Rights is a non-profit company limited by Guarantee, registered in England
and Wales no. 05581537.

 * Privacy and cookie policy