COVID-19: PEOPLE: HOW

GOVERNMENTS ARE USING

PERSONAL DATA TO FIGHT
COVID-19 (UK)
08 April 2020 | London
Legal Briefings

The COVID-19 outbreak has resulted in an unprecedented focus on

the power of data to assist in resolving national emergencies. From
health tracking, to volunteer coordination, to accurately identifying
the vulnerable, data is being harnessed in both the public and private
sectors to try to help bring COVID-19 under control and mitigate its
impact.

BACKGROUND
In the last few weeks we have seen a dramatic increase in wide scale data processing by
both the private and the public sectors, particularly in the context of special category data
such as health data, across relatively short timescales. Such a rapid turnaround will
inevitably raise questions about the extent to which data controllers are fully complying with
applicable data protection legislation including the Data Protection Act 2018, the e-Privacy
Regulation and the General Data Protection Regulation (“GDPR”) (together, “Data
Protection Legislation”), and interesting considerations about balancing a desire to help
others with data protection principles that prioritise privacy.
Both the Secretary of State for Health and Social Care Matt Hancock and the Information
Commissioner’s Office (“ICO”) have tried to give comfort that data protection compliance
should not stand in the way of responding to COVID-19. In a tweet, Mr Hancock stated that
the “GDPR does not inhibit use of data for coronavirus response”. The ICO has noted that
COVID-19 raises “unprecedented challenges” and that it is “a reasonable and pragmatic
regulator, one that does not operate in isolation from matters of serious public concern”.
However, it is not the case that the rules have gone out the window, and none of the
statements made should be taken as giving carte blanche to use personal data
indiscriminately. All of the usual rules apply; it is simply that the relevant authorities are
likely to take a more practical view when considering whether companies or other entities
have fulfilled their legislative obligations.

EXECUTIVE SUMMARY
It is clear from Government responses around the world to date that technology and data are
at the forefront of the battle to understand, track and contain the COVID-19 pandemic.

In the UK, the newly enacted Coronavirus Act has indirectly opened the door for new data
processing, particularly in relation to law enforcement, and many commentators are
concerned about the potential resultant privacy impact on citizens. The UK Government is
also considering how phone location data might be used to track the effectiveness of social
distancing, a move which could result in unprecedented levels of data sharing between
private telecoms organisations and public authorities.

At the moment however, the NHS is leading the way with data use. It has responded quickly,
aiming to use technology and data to map its assets (such as beds and healthcare staff) and
their deployment, as well as developing contact tracing, volunteering and data sharing
initiatives, often in collaboration with private sector organisations.

In Europe, we are seeing a similar balancing act between public health and privacy. Several
governments are looking to phone location data for social distancing and contract tracing
purposes but we are seeing varying approaches in terms of setting guidelines for personal
data usage. It is clear that there is a tension between the desire to do everything possible to
halt the spread of the virus and saves lives, versus setting a precedent for broad sweeping
incursions into the private lives of citizens at a time when freedoms are already being
restricted in ways that have not been seen since the Second World War. One private
development of note is the Pan-European Privacy-Preserving Proximity Tracing project, which
seeks to harmonise the need for contact tracing with Europe’s more stringent data protection
laws.

Internationally, the use of personal data varies considerably, and we are seeing some
particularly interesting but potentially privacy invasive uses of personal data in countries
such as Israel and Taiwan. No matter where you are, personal data is at the forefront of the
fight against COVID-19, and countries such as Singapore and South Korea credit their use of
personal data as a key element of their strategies for containing the outbreak.
Of course, holding or processing more personal data also increases cyber security risks and
raise the potential for phishing attacks, which are already being seen around the world. At a
time when the world’s attention is focussed on the outbreak, cyber criminals are clearly
seeing an opportunity and seeking to capitalise on it.

Finally, it is worth also noting that all organisations, no matter the sector they occupy, are
finding themselves dealing with new internal data protection considerations, such as in the
context of remote working, or trying to decide the extent to which to process the personal
data of unwell employees. We do not consider such processing here, but you can find out
more in our post on Data Privacy Issues.

PUBLIC SECTOR RESPONSES

GOVERNMENT-LEVEL ACTIONS
The UK Government is having to act more dynamically than at any other time in recent
memory to try to manage and contain the outbreak of COVID-19. It is increasingly becoming
apparent that innovative uses of data, including processing large volumes of personal data,
are at the forefront of the Government’s response.

When the Coronavirus Bill 2020 was enacted on 25 March 2020 (the “Act”), it was scrutinised
by data protection practitioners. Although there are no direct data processing provisions, a
number of sections will potentially require increased data processing and potential incursions
into data subjects’ privacy:

It is unsurprising that the Act anticipates increased surveillance and possible civil unrest.
Section 22 of the Act allows for temporary judicial commissioners overseeing
surveillance, and the continuation of the Investigatory Powers Act 2016 (often referred to
as the ‘Snooper’s Charter’) without inhibition. Intelligence agencies are able to ask for
warrants for a range of surveillance activities including real time surveillance and
accessing bulk mobile data. Importantly, if a telecommunications operator is required to
provide such data under the Investigatory Powers Act they may also be prevented from
disclosing this to the public.

The Act contains several provisions that deal with general data sharing between entities
and Government agencies, providing that such sharing will not contravene Data
Protection Legislation. Two key areas where this takes effect are in relation to the food
supply chain, and local authority capacity to deal with the transportation, storage or
disposal of the deceased.
One of the key critiques of the Act is that it is likely to be left in place following the end of the
epidemic and allows powers to last for a period of two years, which is potentially an
excessive timeframe. The Government has provided a small concession by introducing six
monthly reviews where Parliament may decline to renew the powers. Regulations would then
need to be brought forward for the Act to cease to have effect.

Many commentators have raised concerns about the powers granted by the Act. Big Brother
Watch has warned that the Act is draconian and appears to “weaken safeguards on mass
surveillance powers”. Meanwhile, a number of Britain’s leading data scientists have written
an open letter warning of the dangers of technology and data-driven decisions, especially the
implications of the NHS introducing a new data-tracking app that may infringe rights. The
letter also criticises the lack of transparency on use of mobile phone data and tracking,
allowed under the Investigatory Powers Act.

Separately from the Act, the Government has considered how it might use phone location
data provided by UK telecommunications operators. BT (owner of EE) and O2 have both been
reported to be in talks with the Government regarding the potential use of smartphone
location and usage data to confirm whether social distancing measures are working, and
whether people are actually staying at home. It may also be leveraged to provide localised
health alerts to the public. Whilst O2 has provided aggregated anonymised data so far, there
is no suggestion that data which might identify individuals has been required yet. If it was,
this would be an unprecedented level of surveillance at a time where less invasive
alternatives are becoming available (see more below on Bluetooth-based contact tracing).
The ICO has however specifically ‘approved’ the use of aggregated and anonymised mobile
phone data to track and monitor behaviour, noting that “[g]eneralised location data trend
analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised
and aggregated, it does not fall under data protection law because no individual is identified.
In these circumstances, privacy laws are not breached as long as the appropriate safeguards
are in place.” This will be of comfort to telco operators being asked to provide data. However,
it is worth noting that truly anonymised data does not fall within the scope of the GDPR in
any event.

POLICE AND LAW ENFORCEMENT

In the past few weeks, police forces across the country have come in for criticism about
excessive exercises of their COVID-19 related powers and incursions into people’s privacy.
Videos have been posted by local forces showing drone footage of people walking in the Peak
District with the suggestion that this is in breach of Government guidance, random
checkpoints have been established, and more and more people are being questioned about
their activities when outside of the home.
In all of those cases, police forces are likely to be processing personal data about individuals,
and whilst they have been granted wider powers under the Act, this will still need to be
undertaken in a manner which complies with Data Protection Legislation. On a more holistic
level, there is a view that although people are willing to suffer some incursions on their
privacy and freedoms to deal with COVID-19, recent actions have gone too far, and risk
claims that we may now be living in an Orwellian state. This is perhaps an unintended
consequence of broad data collection powers being granted without associated guidance on
how to utilise such powers in a way which mitigates the privacy impact on individuals.

NHS
The NHS has unsurprisingly been at the forefront of Government data usage. On the
operational management side, the NHS intends to create a data platform which tracks the
movement of critical staff and materials in conjunction with Palantir, also leveraging Microsoft
Azure, Google G Suite, Amazon AWS and support from Faculty, a London based AI specialist.
The data store is not intended to include health data (although such data may inform the
dashboard in an aggregated form), but will provide a dashboard for tracking a wide range of
information including A&E capacity, the number and location of beds, ventilators and active
NHS staff. By using this system, which acts as somewhat of a health check for the NHS itself,
decision makers will be able to allocate resources based on an accurate overview of the real-
time responses. We understand that NHSX (the innovation arm of the NHS) has committed to
terminating data agreements and removing and destroying data once the crisis is over. The
project nonetheless raises interesting questions about collaborations with other
organisations. Choosing the right partner is going to have a measurable impact on data
subjects’ trust in any COVID-related initiative. Here, data protection advocates have raised
concerns about Palantir’s involvement given its controversial work with the US Immigration
and Customs Enforcement agency, and projects including predictive policing. The issues are
not just legal but also reputational. Data subjects are willing to hand over their personal data
to manage a crisis, but may do so less freely if they don’t trust the organisations that they
are giving it to.

The NHS’s second major development is in relation to contact tracing. It was reported on 31
March 2020 that the UK government is actively set to develop some form of contact tracing
app in the near future. Led by NHSX, the app will leverage Bluetooth to identify individuals
who have been in close proximity to each other, storing a record of that contact, and
providing a mechanism through which an individual can be notified if they have been near
someone that tested positive for COVID-19. Given the anticipated use of Bluetooth, it is
possible that NHSX may leverage Singapore’s TraceTogether app which used the same
technology, the code for which was open-sourced by the Singapore government last week.
You can read more about the proposed app and relevant data protection considerations,
along with the privately-developed Covid Symptom Tracker app, here.
In March, Matt Hancock issued four notices under the Health Service Control of Patient
Information Regulations 2002 which will require NHS Digital, NHS England and Improvement,
health organisations, arm’s length bodies, local authorities and GPs to process and share
confidential patient information with each other in relation to COVID-19. The notices run until
30 September 2020 at the time of writing, but may be reviewed and extended. Whilst the
notices make clear that the GDPR will still apply, they represent a fairly unprecedented level
of interagency data sharing, and may represent a new high water mark in relation to sharing
patient details.

Finally, one of the most positive personal data uses to come out of COVID-19 has been the
GoodSAM NHS Volunteer Responder initiative, a platform for ordinary people to volunteer to
support the NHS in various roles from taking patients home, to collecting shopping, to
checking in with individuals at risk of loneliness. Over 750,000 have now provided their
personal data to the platform to be matched with volunteering roles.

EU RESPONSE
In the early stages of COVID-19 in Europe, the European Data Protection Board stated that
“[d]ata protection rules do not hinder measures taken in the fight against the coronavirus
pandemic”. In the context of location tracking, it noted that, “[t]he national laws
implementing the ePrivacy Directive provide for the principle that the location data can only
be used by the operator when they are made anonymous, or with the consent of the
individuals. The public authorities should first aim for the processing of location data in an
anonymous way”. Where anonymisation is not possible, the EDPB’s view is that Member
States should introduce legislative measures pursuing national security and public security to
allow electronic communication data processing.

In a more recent development, European Data Protection Supervisor (“EDPS”) issued a letter
on using mobile phone data for monitoring. In line with the ICO’s position, the EDPS noted
that aggregated and anonymised mobile phone data could be used to map the movement of
people. However, the EDPS noted that removing obvious identifiers such as phone numbers
and IMEI numbers would not be sufficient to effectively anonymise the data. The Supervisor
also made clear that there should be transparency towards the public to avoid any potential
misunderstandings.

European governments and data protection regulators have taken varying approaches in
their COVID-strategies. The CNIL in France has said that data should be limited to the
purpose of managing exposure to the virus. It flagged in particular that employers may not
take mandatory temperature readings of employees or visitors on a systematic and
generalised basis, or require them to complete compulsory medical questionnaires. Italy
passed emergency legislation requiring individuals from at-risk areas to notify health
authorities, whilst Germany specifically updated its national privacy legislation to allow for
processing of personal data in an epidemic, or natural or man-made catastrophe.
Furthermore, despite being notoriously privacy-focused, Germany is now looking at
introducing some form of contact tracing app, notwithstanding that the government had to
back down in March from related plans to track location data due to public backlash.
Supplementing the government approaches, a European technology group unveiled the Pan-
European Privacy-Preserving Proximity Tracing (“PEPPPT”) project on 1 April 2020, as an
attempt to marry the need for contact tracing with the European Union’s more stringent data
protection requirements. It is described as “a fully privacy-preserving approach” to contract
tracing. Whilst the PEPPPT project works on a Bluetooth model which is similar to the
Singaporean TraceTogether approach, the data it collects is extremely limited. Any apps
using the PEPPPT model would only generate a temporary anonymised and encrypted ID,
with no location data or identifiable features of end devices collected. Perhaps the most
useful aspect of the project is that it acknowledges that there is no ‘one size fits all’ solution
for the European Union, and instead provides technical mechanisms and standards that can
be tailored to the relevant jurisdiction.

OTHER INTERNATIONAL RESPONSES

It will be interesting to see which lessons from other international governments the UK
chooses to follow. Initiatives globally have varied in their success, and there have been some
fairly significant incursions into the privacy rights of individuals.

The initial decline in the rate of new infections in South Korea was widely attributed to the
government’s use of Corona 100m, a central tracking app which provides a publicly available
map for users to check if they have been within the vicinity of a known case, and proactively
informs users where they have been. Concerns have, however, been raised over the level of
information provided to the public, as such data can include surname, gender, age,
profession and travel history of the infected individual.

Singapore employed TraceTogether, an app which can use Bluetooth to identify people who
have been within two metres of a confirmed case for at least thirty minutes. Once users grant
the app permission, it begins logging other people using the app who the user has come in
close contact with. Where data shows they have come into close contact with someone who
has tested positive for the virus, the user can then opt to share their log data, i.e. data on
other people, with the government.

Others have taken different approaches. For example, the Indian state of Karnataka has now
made it mandatory for those individuals asked to self-quarantine to upload an hourly selfie,
to an app called ‘Quarantine Watch’. Poland have implemented something similar for those
entering a 14-day mandatory quarantine within the country. An app sends periodic requests
for geo-located selfies, with the police being alerted if a selfie is not uploaded within 20
minutes of request.
On the more draconian end of the scale, the Israeli government passed an emergency law in
March that allows the police and the security services access to the entire nation’s mobile
phone location data in an effort to curb the virus. Hong Kong have embraced wristbands for
those in quarantine (now reportedly with a GPS tracker built in), whilst Taiwan have
employed what they have called a mobile phone based ‘electronic fence’ system, which
alerts police and local officials if those in quarantine move away from their home address or
turn their phone off. China has also reportedly introduced a health code system where users
are given a colour ranking which will determine whether they should be quarantined or not,
and potentially limits their ability to access public places, but little is known about how users’
personal data is used to generate these classifications.

PRIVATE SECTOR
There have also been a wide range of responses in the private sector to try to manage the
COVID-19 outbreak, with several organisations focussing on practical solutions such as
developing new medical tests or filling the ventilator shortfall. On the personal data front, the
response falls into two key categories: symptom tracking and community responses.

The most well-known private personal data response in the UK is the Covid Symptom Tracker
app developed between ZOE, a health and data science company, and Tim Spector, a genetic
epidemiology professor at Kings College London. The app asks users to report their
symptoms daily, even if well, to be added to a repository that is being used by the NHS, and
shared with universities for research purposes. The app’s privacy compliance is based on
user consents, with purposes apparently limited to various COVID-19 related purposes.

In a similar vein, TrackTogether and LetsBeatCOVID.net use self-reported symptoms for

tracking related purposes. TrackTogether focuses on using symptoms and postcode data to
show users how many known cases are in their immediate area. LetsBeatCOVID.net has been
developed by MedShr, which has previously styled itself as ‘Instagram for doctors’, and feeds
aggregated self-reported symptoms back to MedShr’s one million doctor users. It builds on
MedShr’s initial purposes of allowing doctors to connect and share knowledge with each
other. Again, the model is based on anonymous but consent-based submissions.

In the US, Amazon’s Alexa and Apple’s Siri can now assist users with diagnosing COVID-19 by
asking about their symptoms, travel history and possible exposure. It remains to be seen
whether that capability will be rolled out to the UK. If it is, that could become the first
example of COVID-related health data being shared with profit-making, commercial
organisations, who will need to be very careful about how they inform users of the privacy
implications of collecting their personal data.

As well as the more sophisticated apps, we have seen a huge rise in the number of informal
community organisations and volunteer groups. These have proven critical in the early
stages of COVID-19, particularly for ensuring the vulnerable have enough supplies. Although
the individuals involved may not have engaged with data protection principles before, the
group coordinators will be data controllers in relation to their volunteers and those they help.
Pleasingly, this is where the ICO is proving to be most pragmatic, posting a helpful blog post
for community groups. It takes an extremely sensible approach to the GDPR and sets out in
simple terms the grounds on which these groups could use personal data.
Building on the community organisations, a number of new platforms are being developed to
connect volunteers with a variety of community organisations easily online, and help allocate
tasks efficiently.

CYBER-ATTACKS AND PHISHING

With new repositories of personal data being created, and individuals potentially being less
cautious with their personal data when used for the purpose of helping respond to the crisis,
it is no surprise that the volume of cyber and phishing attacks has gone up in the wake of the
COVID-19 outbreak.

Research by the internet Security company Sophos has found that the volume of Coronavirus
email scams nearly tripled in the week commencing 23 March 2020, with almost 3% of all
global spam now estimated to be Covid-19 related. Research from Action Fraud suggests
there have been 105 coronavirus-related reports since 1 February 2020, with total losses
reaching nearly £970,000.

Examples of these scams are wide-ranging and include fraudulent messages sent by
criminals posing as:

the UK Government, texting individuals two messages in succession, the first mimicking
the bona fide Government text asking everyone to stay at home, and the second
suggesting that the recipient is facing a fine for leaving their home on multiple occasions
in a single day;

the World Health Organisation claiming that an email attachment details how recipients
can prevent the disease’s spread. The attachment, however, instead infects computers
with malicious software;

the Centre for Disease Control and Prevention, using one of the organisation’s legitimate
email addresses, sent by a spoofing tool, spreading unfounded rumours about
coronavirus. Hackers gain control of the email account once victims click on a link in the
email; and

the Department for Education asking parents of children eligible for free school meals for
their bank details, so that their child could still receive meals during school closures. This
goes some way to illustrate the lengths cyber criminals are willing to go to in order to
create an opportunity from this pandemic.
The Association of British Insurers has also warned that times of austerity tend to bring an
increase in insurance fraud, which is illustrated by the various Coronavirus insurance scams
that have emerged already in the US. There has been an increase in the registration of
webpages relating to the Coronavirus suggesting that if the outbreak intensifies, it is highly
likely that the volume of such attacks will rise. The National Cyber Security Centre has put
out guidance to individuals and companies to help spot phishing emails, the main message
being that it is advisable not to click any links before verifying that the sender is genuine.

See Five Practical Steps to Managing Your Cyber Security Risk During a Crisis for further
advice and tips on how to improve your cyber security posture.

CONCLUSIONS
The overview above shows the slightly overwhelming uses to which personal data is currently
being put to fight COVID-19. Whatever the method, it is clear that governments and private
organisations are rapidly gathering swathes of information on citizens in the name of
combatting a public health emergency.

However, speed and a desire to contribute to the current crisis should not be used to justify
data privacy compliance going out the window. For both public authorities and private
organisations, Data Protection Legislation still binds them and their actions, and should
remain a central consideration in their strategies. From data protection impact assessments,
to purpose limitations, to considered retention policies, we would still expect to see all of the
usual steps being taken as part of any project, just perhaps faster than ever before. Of
course, whether this is actually happening in practice is another question. It will be
interesting to see what happens to these initiatives, and the data that has been collected,
once COVID-19 is under control. It may be that we see regulatory action in response to
organisations that are perceived to have taken advantage of people’s willingness to share
their information for commercial gain. Behaving in a trustworthy manner with people’s data is
more important than ever before.

Putting the strict requirements of the Data Protection Legislation aside, data subjects are
facing unprecedented incursions into their privacy rights. Rightly, data subjects are willing for
their data to be used more than ever for the ‘greater good’, but there are fears in some
quarters that we are in the process of setting a new normal and effectively opening the
floodgates. If individuals accept unprecedented levels of data sharing now, will it be possible
to go back to a more restrictive and privacy-conscious world when the outbreak is over? Will
aggregated tracking become the new normal? We must hope that this situation is temporary,
and that business as usual returns swiftly once COVID-19 is under control, otherwise we may
see far more scrutiny of overzealous data processing where there is no pressing need.

It is vital that Governments continue to strive to achieve a balance between public health and
privacy so that the latter does not become another casualty of this pandemic.
KEY CONTACTS
If you have any questions, or would like to know how this might affect your business, phone,
or email these key contacts.

MIRIAM EVERETT HANNAH BROWN CHLOE KITE

PARTNER, LONDON ASSOCIATE, LONDON ASSOCIATE, LONDON

+44 20 7466 2378 +44 20 7466 2677 +44 20 7466 2540

Miriam.Everett@hsf.com hannah.brown@hsf.com chloe.kite@hsf.com

LEGAL NOTICE
The contents of this publication, current at the date of publication set out above, are for
reference purposes only. They do not constitute legal advice and should not be relied upon as
such. Specific legal advice about your specific circumstances should always be sought
separately before taking any action based on this publication.

© Herbert Smith Freehills 2020

SUBSCRIBE TO STAY UP-TO-DATE WITH LATEST THINKING, BLOGS, EVENTS, AND

MORE
Close

© HERBERT SMITH FREEHILLS LLP 2020