2 July 2020

Security and Privacy Implications Around Health Data, and Tracking and Tracing

By Carol Tullo, OBE, Senior Consultant

Photo by Pathum Danthanarayana on Unsplash

Online security and privacy underpin the technology solutions transforming the approach to coming out of lockdown. We have all got used to the tools that have enabled the shift to home and remote working in the past four months. We, our work, and our organisations have adapted, possibly never to revert to the position pre-Covid. The pandemic has seen us all embrace virtual solutions. This is played out across the media as we look at how tracking and tracing will ease the lockdown.

Apps are a supplement to contact tracing and no one country seems to have the complete answer. Singapore’s Trace Together App worked technically but it had battery draining issues for phones that deterred use so the distribution of personal wearable devices is in hand to counter this. In France 2 million downloaded their App in 3 weeks but since then nearly 500k have uninstalled it. As at 25 June the German Corona-Warn-App was downloaded 13m times in a population of 83 million. The UK trial only worked across 4% of iphone contacts and has marked a change in approach. The Indian Government published the source code of their App in May following controversy about privacy and security. It was mandatory for government and private sector employees to download it and 131 million did so.

In the UK, the Information Commissioner, Elizabeth Denham, blogged in April that ““as with any new technology, the public need to have confidence that it is being used in a fair and proportionate way”. She emphasised that data protection law must not get in the way of innovative use of data in this public health emergency. How can we have confidence in how our data is being used- and how we are using others’ data?

The GDPR principles provide a robust framework and specifically provide for health data to be used and shared in the appropriate circumstances. This affects all organisations, whatever the size or sector, as there will have been a need to collect personal data for staff and colleagues who were ill ready for their return to work. Deleting this data when no longer needed and holding it securely should be now be second nature to the information management professionals out there.

Perhaps less well known outside the specialist fields of health care and life sciences, is the role of the National Data Guardian for Health and Social Care, Dame Fiona Caldicott. She developed the “Caldicott principles” that organisations should follow to ensure patient confidentiality and ensure that information that can identify a patient is only used when appropriate to do so. So far so GDPR. We would all recognise these principles, e.g. using minimum amount of data necessary and justifying the use. Interestingly, a consultation launched on 25 June includes an additional 8^th principle called the “no surprises” rule. It proposes a range of steps that should be taken to ensure ‘no surprises’ for patients and service users about how their confidential information is to be used. This includes providing relevant and appropriate information to promote understanding and acceptance of uses of information. Patients and service users should be given an accessible way to opt out. Again, an approach neatly aligned with GDPR.

For those of us working in this area it is a vital reinforcement of the common sense steps we take to safeguard personal data especially in the current crisis with so much more collection, sharing and temporary storing of this sensitive information. As lockdown hit on 23 March, the Health Secretary issued notices, under patient Information regulations, requiring relevant organisations involved in the response to Covid-19, such as NHS Digital, GPs, health organisations and local authorities to share data. Without this legal responsibility, some of the digital transformation and innovation in delivering the rapid response services like home testing, or the 111 service mobilising the return of retired doctors would have been hampered. Merging data across numerous symptom tracking Apps has enabled epidemiologists to understand how the virus behaves and its spread.

We are in a new world of dependence on personal data to open up our businesses and premises and services in the coming weeks. Operating within statutory and regulatory boundaries is key and will remain that way until we are the other side of the pandemic. There will be a lot of data controllers who have refreshed their and their colleagues understanding and awareness of the basics in looking after personal data. In one sense a sound grounding of online security and data governance is the new data superpower.

Good data hygiene, as well as understanding the importance of data management is vital in terms of commercial strategy and safeguarding data. Naomi Korn Associates offer GDPR Heath Checks which are carried out by our expert consultants, for more details see our Consultancy page.