Who owns the data about individuals collected by the UK Government, NHS, academics and private companies in context of the COVID-19 pandemic such as data from contact tracing apps?
In the UK, there is no comprehensive framework to determine ownership of data, which is not generally understood to be property1. For example, English judges have held that confidential information is not property which can be stolen2 and that it was not possible to exercise a lien over intangible property such as an electronic database3. However, there are laws that regulate and offer protection to certain types of data, such as the data protection legislation or laws relating to copyright, database rights and breach of confidence / trade secrets.
In Europe (including the UK) governments have been keen to encourage sharing of non-personal data to unlock the value of such data and promote innovation4 but the collection and sharing of personal data has been strictly regulated.
The data protection legislation in the UK does not designate individuals as "owners" of their personal data but has provided individuals with certain rights (such as the right to be informed, right of access or right to erasure), strengthened the obligations of controllers and processors of personal data, and introduced new enforcement powers.
Ownership of health data is a particularly sensitive subject. Whilst the current prevailing mood may be one where many individuals are happy to share their personal health data for medical research purposes5, contact tracing apps work on the principle of connecting people who are unknown to each other, to each other and to particular locations and times. Significant amounts of data will be captured and in time there may well be concerns about who has this data and the purposes for which it might be used.
Data protection regulators are alert to the risks posed by public institutions sharing personal health data of their patients with the private sector. The UK Information Commissioner's Office (the "ICO") has been previously clear that while data protection laws do not get in the way of innovative use of data, innovation should not be at the expense of eroding legally ensured fundamental privacy rights6., The UK data protection legislation imposes strict obligations on controllers, i.e. the persons who determine the purposes and means of the processing of personal data. In relation to the NHS COVID-19 app, it has been announced that the controller is the Department of Health and Social Care together with NHS England and NHS Improvement7.
The controller is responsible for ensuring compliance with the data protection legislation, including the fundamental data protection principles established in the General Data Protection Regulation (the "GDPR") of lawfulness, fairness and transparency. Controllers are accountable for complying with these principles, including ensuring purpose limitation, establishing legal basis for processing of the data, limiting the amount of data collected and only for the necessary time period (data minimisation), and implementing "privacy by design". Controllers are also responsible for providing transparent information to individuals about their personal data as well as for the compliance of their processors. Controllers must also ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making. It is these rules which will, in practice, regulate the way in which the data collected through use of contact tracing apps is handled rather than concepts of "ownership" of the data being collected.
In relation to the NHS COVID-19 contact tracing app, the controller must, amongst others, decide:
- what exactly the purpose for collecting and processing the personal data is;
- who will the data be shared with and under what conditions; and
- how long will the data retained for.
To ensure transparency, increase public confidence in the solutions adopted, and provide independent oversight, some have called for the above to be enshrined by way of primary legislation that would offer assurance about the privacy protections for any data collected8. The UK Government has not announced its intention to introduce such legislation yet but a draft Private Members Bill has been sent to the Leader of the House of Commons.
The ICO has also been actively engaged in the discussions around the NHS COVID-19 contact tracing app and made its statements about it public. Similarly, the European Data Protection Board and the European Commission have published guidelines on the use of data in the context of the COVID-19 outbreak. These provide a good starting point for organisations thinking about using data to combat the COVID-19 pandemic.
Whether the controller is the Department of Health and Social Care, the NHS, local authorities, academic institutions, or private companies, it is important for any controller who processes personal health data in the context of COVID-19 pandemic to engage with the data protection concerns and be transparent with the public about the data protection safeguards adopted. Compliance with the data protection legislation , rather than analysis of who "owns" this personal data is the key legal concern. Compliance with data protection legislation will also engender public trust and confidence in the way organisations use personal health data to combat the COVID-19 pandemic.
1 See HM Treasury's discussion paper on the economic value of data (2 August 2018).
5 See, for example, the 100,000 Genomes Project which recruited NHS patients to sequence 100,000 whole genomes to enable new scientific discovery and medical insights based on patients' consent.
6 See, for example, ICO's 2017 investigation into sharing patients' data with the private sector which found several shortcomings in how data was handled, including that patients were not adequately informed that their data would be used as a part of the test. The message was reinforced in the ICO's statement from March 2020 on data protection and coronavirus.
7 See the Data Protection Impact Assessment for the pilot of the NHS COVID-19 App on Isle of Wight.
8 See, for example, the report on Digital Contact Tracing published by the UK Parliament's Joint Committee on Human Rights (7 May 2020) or the evidence review on the technical considerations and societal implications of using technology to transition from the COVID-19 crisis published by the Ada Lovelace Institute (20 April 2020).