Citation: BBC: England police to get access to NHS Test and Trace Data

The BBC has reported that the police will be granted access to Test and Trace data on a “case-by-case” basis to enforce coronavirus safety laws.

The news comes after the Government has admitted in a letter to the Open Rights Group (“ORG”) that no Data Protection Impact Assessment (“DPIA”) was undertaken in the development of its efforts to trace Covid-19 infections. Completing a DPIA is a legal requirement under the GDPR and Data Protection Act 2018. The ORG correspondence and press release can be found here.

The police will not be given access to the NHS Covid-19 app and will only be given details of whether an individual has been told to self-isolate.

In this case undertaking data processing for the primary purpose of law enforcement, has its own regulatory guidelines- the ICO guidance can be found here. The classification of such data is likely to be considered as sensitive health data. As such it must be demonstrated that the processing is strictly necessary and satisfy one of the conditions in the Data Protection Act 2018, Schedule 8 or is based on consent.

It remains to be seen what framework will be developed to ensure data protection compliance and privacy safeguards. A policy document must be in place for this type of processing to be undertaken.

YouTube faces £2bn legal action for alleged misuse of child data

A class action style law suit valued at £2bn has been filed in the High Court against Google, focusing on subsidiary YouTube’s handling of child user data.

The action alleges that YouTube collected the data of over 5 million British children without parental consent. The requirement of parental consent is enshrined in the General Data Protection Regulation and UK Data Protection Act 2018.

The claimant, privacy expert Duncan McCann, is represented by litigation specialist firm Hausfeld and supported by tech rights group Foxglove.

See coverage from the BBC and Business Wire.

The Schrems II case- EU-US data transfers left in question

The European Court of Justice has handed down its highly anticipated ruling in the Schrems II case. The case considered the validity of the EU-US Privacy Shield and the efficacy of Standard Contractual Clauses (“SCC”) as data transfer protection mechanisms.

In this landmark case it was found that the EU Commission’s adequacy decision around the EU-US Privacy Shield framework was invalid. The leaves the mechanism for conducting EU-US data transfers in question. This matter maybe covered by recent discussions between the UK and US around entering into a seperate data sharing agreement. However, in the interim a transitional mechanism is sorely needed alongside guidance for data processors to give clarity to how data sharing between the countries can be regulated and data subjects rights safeguarded.

The SCC regime was affirmed to be valid however, it was suggested that companies and regulators enter into a case by case basis analysis of risk. In particular, it was highlighted that such an assessment should take place where government access to data is mandated. This is a highly topical issue in the US given current efforts to put in place a federal data protection regime.

For more details on the Schrems II case see-

The IAPP

INFORRM

Law firm Bird & Bird

The ICO‘s press release

UK government releases NHS covid-19 data sharing agreements

Following significant pressure from groups such as OpenDemocracy and Foxglove the UK government has released its data sharing contracts with companies such as Amazon, Google and Microsoft for the creation of a cloud database for sharing covid-19 related data. Contracts with AI firms Planatir and Faculty were also released.

This promotes transparency and accountability around efforts to establish contract tracing technology and centralised databases to combat covid-19. The potential access to high volumes of healthcare data via these databases merits high levels of scrutiny under privacy and data protection laws. However, groups such as openDemocracy raised concerns around sharing high volumes of NHS data and the risk posed by significant third party exposure. In particular, it criticized the credibility of AI firms Planatir and Faculty.

In a recent press release from openDemocracy the contracts were made public:

View Google NHS agreements (PDF, 0.7 MB)

View Faculty NHS agreements (PDF, 0.9 MB)

View Palantir NHS agreements (PDF, 11.6 MB)

View Microsoft NHS agreements (PDF, 1.5 MB)

NHS England has also released the Data Protection Impact Assessment which was undertaken prior to forming a centralised data storage facility for covid-19 related data. This database holds data ranging from regional infection maps to 911 call data and bed capacities.

The NHS uses a ‘cloud first’ approach to ensuring that data is leveraged most effectively. All data is collated in a cloud database allowing for security and accessibility.

Morrisions data breach vicarious liability case before UK Supreme Court

Following its data breach in November 2013 the Morrisons data breach case is now before the UK Supreme Court. The breach involved the personal data of 5,500 employees.

An employee, Mr Skelton, took a memory stick containing the records of employees home. In January 2014 he uploaded the contents onto a data sharing website, later sending it to newspapers. Continue reading

Data protection rights

Personal data, such as your name, likeness, birthday or any other information which can be used to identify you is highly sensitive.

Protecting and bringing actions on the basis of your personal data being harvested, used or misused is a key foundational right to privacy. Continue reading

£3billion class action against Google given the go-ahead – Lloyd v Google LLC [2019] EWCA Civ 1599

Mr Lloyd, a consumer protection advocate, brought a claim against Google for damages on behalf of 4m Apple iPhone users. It was alleged that Google secretly tracked some of their internet activity for commercial purposes between 9 August 2011 and 15 February 2012. Continue reading