MPs urge ICO to act over Covid-19 government data concerns

The letter is signed by MPs from Labour, the Liberal Democrats, the Scottish National Party and the Green Party, and calls on Elizabeth Denham, the Information Commissioner, to address concerns that test and trace has been operating unlawfully.

Last month the government accepted it did not carry out a data protection impact assessment (DPIA) for test and trace before putting the programme in place.

DPIAs are necessary under the General Data Protection Regulation for projects deemed high risk to personal privacy and data security, and are intended to identify and minimise the data protection risks of a project.

The ICO said at the time the DPIA oversight came to light that it was working with the government as a “critical friend” to provide guidance and advice, and to ensure people’s data is protected.

The letter from the MPs has called on the ICO to do more to enforce data protection standards and maintain public confidence that data is being processed safely and legally.

“Parliamentarians and the public need to be able to rely on the regulator,” the letter says.

“However, the government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism.

“Regarding test and trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.”

The letter was organised by the Open Rights Group. Jim Killock, executive director of the Open Rights Group, said: “The ICO is a public body, funded by the taxpayers, and accountable to parliament. They must now sit up, listen and act.” 

An ICO spokesperson said: “Our regulatory obligations include advising as well as supervising the work of data controllers. Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK government, the NHS, local councils and private sector organisations to respond to the public health crisis.

“We understand and recognise the government and other organisations had to act quickly do deal with the national health emergency, and we have explained their data protection obligations and provided guidance and expertise at pace to them. We have published much of this work so there is transparency, and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.

“We will continue to uphold people’s information rights, and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.”