Insights Information Commissioner publishes blog post on role of ICO and data protection law in creating public trust and confidence around COVID-19 status certification schemes

In her blog post the Information Commissioner, Elizabeth Denham, sets out how data protection laws and the ICO can help build public trust and confidence in any COVID-19 status certification schemes that the Government decides to bring into force. Ms Denham reveals that the ICO has already engaged with the Government about how data protection law and regulation need not be a barrier to the responsible use of personal data in any certification scheme. The ICO is also engaging with the devolved administrations.

Ms Denham says that in order to ensure trust and confidence in any certification scheme, it is crucial that “from the start, thought is given to how data can be used fairly and how this can be explained clearly to people using a scheme”.

Ms Denham explains that any organisation processing personal data as part of a COVID-status certification scheme would be responsible for using that personal data appropriately and for complying with data protection law. In other words, the usual data protection laws would apply to any such scheme. This means high standards of governance and accountability to ensure compliance with data protection principles, including transparency, fairness, data minimisation and storage limitation, and utilising a “data protection by design” approach as part of their planning.

Further, Ms Denham explains that if the UK plans to develop digital infrastructure as part of any COVID-19 status certification schemes, then they must be secure, fit for purpose and compliant with the law.

Ms Denham notes that people are sometimes concerned that information collected for one purpose might then be used for other purposes. She says that the UK data protection regime can “offer people reassurance here”, as the law expects organisations to be clear why they are using data, and the ICO can act to enforce.

Ms Denham warns, however, that there must be a “strong line from leaders on what is and is not acceptable” to avoid the situation where a range of organisations offers COVID-19 status certification services with varying levels of good governance and protections for personal data. “The failing of one initiative may undermine public trust in all such schemes”, Ms Denham notes. To read the blog post in full, click here.