NEWS5 May 2020

ICO outlines contact tracing privacy recommendations

Covid-19 Healthcare Mobile News Privacy Public Sector UK

UK – The Information Commissioner’s Office (ICO) has set out its privacy expectations for Covid-19 contact tracing apps, saying they require a Data Protection Impact Assessment (DPIA) before being deployed.


The data protection regulator is providing oversight of the contact tracing app being developed by the NHS, information commissioner Elizabeth Denham said during a session of the parliament’s human rights committee yesterday ( 4th May).

DPIAs are needed before any contact tracing tools prior to implementation, the ICO said in a document sent to the committee ahead of the session, as the data processing involved is likely to result in a high risk to people’s rights and freedoms.

The app being developed by the NHS’ digital arm, NHSX, is being trialled this week on the Isle of Wight.

During the session, Denham said the ICO had been involved in advising NHSX on the data protection aspects of the app, and NHSX had shared “some technical material” with the ICO. However, she said the regulator had not received the DPIA, which it expects to “critique and comment on”.

The ICO will also monitor public reaction to the app when it is deployed, take complaints and undertake audits and any investigations.

In the best practice document, the ICO recommended that developers of contact tracing tool are transparent about their purpose, design choices and benefits, and ensure they are only collecting the minimum amount of personal data necessary.