The news comes after the Government has admitted in a letter to the Open Rights Group (“ORG”) that no Data Protection Impact Assessment (“DPIA”) was undertaken in the development of its efforts to trace Covid-19 infections. Completing a DPIA is a legal requirement under the GDPR and Data Protection Act 2018. The ORG correspondence and press release can be found here.
The police will not be given access to the NHS Covid-19 app and will only be given details of whether an individual has been told to self-isolate.
In this case undertaking data processing for the primary purpose of law enforcement, has its own regulatory guidelines- the ICO guidance can be found here. The classification of such data is likely to be considered as sensitive health data. As such it must be demonstrated that the processing is strictly necessary and satisfy one of the conditions in the Data Protection Act 2018, Schedule 8 or is based on consent.
It remains to be seen what framework will be developed to ensure data protection compliance and privacy safeguards. A policy document must be in place for this type of processing to be undertaken.
The Privacy Perspective 