Coronavirus-tracking smartphone apps don't invade privacy says data watchdog

So long as the data is anonymised, says ICO, as coronavirus tracking apps and data sharing projects puts data protection in the spotlight.

Smartphone surveillance: Four different strategies to track COVID-19
1:16

It's okay for the government to use smartphone location tracking data to help fight and monitor the spread of coronavirus – so long as the data is anonymised, the Information Commissioner's Office has said.

The government has reportedly held talks with mobile phone operators to use location and usage data to track movements of UK citizens in an effort to identify patterns, track the spread of the virus and ensure social distancing and lockdowns are being adhered to.

And now the ICO – the UK's data protection watchdog – has approved the use of location tracking in order to help during the coronavirus crisis, so long as the data is anonymised to protect the privacy of individuals.

"Generalised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified," said ICO deputy commissioner Steve Wood.

"In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place," he added.

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

The ICO has provided advice on how data protection laws can be flexibly applied to protect lives and data, while also securing the safety and security of the public – and the authority will continue to offer advice to the government on the application of data protection law during the coronavirus pandemic.

Some countries including Israel, Singapore and South Korea are already tracing location data in an effort to track the spread of coronavirus, while other countries including the US and the UK are examining the prospect of doing so.

But while the tracking of location data is being used in an effort to protect people from coronavirus, the practice has raised potential privacy concerns – particularly if the anonymised data can be pieced back together to identify individual users, or of the collection of this data continues following the end of the pandemic.

As technology is deployed to help fight coronavirus, data protection has increasingly come under the spotlight.

Last week it was revealed US technology companies including Amazon, Microsoft and Palantir are set to help the National Health Service collect and analyse patient data, raising the prospect of privacy concerns around how the data will be stored by those involved – although the NHS says all records will be destroyed when the crisis is over.

The companies will gather data to help the NHS understand trends in how the COVID-19 outbreak is developing and how the health service can best react, arguing that it needs a data store because without a single place to gather and analyse this data, decision-makers are unable to move quickly as the response demands.

NHS England will create a data store from multiple data sources, such as 111 online/call centre data from NHS Digital and Covid-19 test result data from Public Health England.

In a blog post, the Department of Health said that the NHS is facing an "unprecedented challenge" in responding to COVID-19 and outlined how collected data will be collated into a "single source of truth" to track and understand the crisis.

It said all the data in the data store is anonymous, subject to strict controls to ensure that individuals cannot be re-identified, like removing identifiers such as name and address and replacing these with a pseudonym. GDPR principles will be followed, for example the data will only be used for Covid-19 and not for any other purpose and only relevant information will be collected, the NHS said.

"In this time of crisis, we need the private sector to play its part to tackle these unprecedented challenges," said the post. "Our technology partners are subject to the same strict rules for information governance that we follow in our day to day work".

FURTHER READING