Recently, the ICO published a statement about the use of mobile phone tracking during the COVID-19 crisis. The statement provided that generalised location data, where properly anonymised and aggregated, does not fall under the remit of data protection laws. In addition to this statement, the government has now set out further information on how it intends to use data during the pandemic.
The government intends to use data to understand and anticipate the demand on healthcare services. Currently, some existing NHS functions already capture the necessary data, but the government wishes to centralise this, so that it can move and respond as quickly as possible.
The initial data store will contain information from NHS ‘111’ calls through to COVID-19 testing kit data. The data will then be cleansed, integrated and harmonised to create a single dashboard of reliable information. The data will create a ‘live’ view of the metrics underpinning the crisis, so practitioners can better understand the virus and the impact it may have on the healthcare system. These metrics include a detailed breakdown of current occupancy levels at hospitals, current capacity of A&E departments and current waiting times, and statistics about the lengths of stay for COVID-19 patients.
The government has confirmed that NHS England and NHS Improvement will retain control over this data. The guidance notes that NHS England and NHS Improvement have entered into data processing agreements with various third-party technology providers, who shall act in a data processor capacity. Once the COVID-19 crisis has been contained, the data must either be deleted or returned. The data store will follow GDPR principles and strict control measures will be put in place to ensure compliance with data protection laws. One version of the dashboard will be made available to government decision-makers, and another version will be made available to support public understanding.
Why is this important?
The government’s approach confirms that despite the ongoing global COVID-19 crisis, organisations must take steps to comply with data protection law. The ICO is a pragmatic regulator, but this does not mean that organisations can allow compliance to fall by the wayside. Additionally, this approach highlights the ever-growing utility of personal data in our society and how it can be used in myriad ways to benefit the public.