Data ownership and contact tracing

Who owns the data about individuals collected by the UK Government, NHS, academics and private companies in context of the COVID-19 pandemic such as data from contact tracing apps?

Legal framework

In the UK, there is no comprehensive framework to determine ownership of data, which is not generally understood to be property¹. For example, English judges have held that confidential information is not property which can be stolen² and that it was not possible to exercise a lien over intangible property such as an electronic database³. However, there are laws that regulate and offer protection to certain types of data, such as the data protection legislation or laws relating to copyright, database rights and breach of confidence / trade secrets.

In Europe (including the UK) governments have been keen to encourage sharing of non-personal data to unlock the value of such data and promote innovation⁴ but the collection and sharing of personal data has been strictly regulated.

The data protection legislation in the UK does not designate individuals as "owners" of their personal data but has provided individuals with certain rights (such as the right to be informed, right of access or right to erasure), strengthened the obligations of controllers and processors of personal data, and introduced new enforcement powers.

Contact tracing

Ownership of health data is a particularly sensitive subject. Whilst the current prevailing mood  may be one where many individuals are happy to share their personal health data for medical research purposes⁵, contact tracing apps work on the principle of connecting people who are unknown to each other, to each other and to particular locations and times. Significant amounts of data will be captured and in time there may well be concerns about who has this data and the purposes for which it might be used.

Data protection regulators are alert to the risks posed by public institutions sharing personal health data of their patients with the private sector. The UK Information Commissioner's Office (the "ICO") has been previously clear that while data protection laws do not get in the way of innovative use of data, innovation should not be at the expense of eroding legally ensured fundamental privacy rights⁶., The UK data protection legislation imposes strict obligations on controllers, i.e. the persons who determine the purposes and means of the processing of personal data. In relation to the NHS COVID-19 app, it has been announced that the controller is the Department of Health and Social Care together with NHS England and NHS Improvement⁷.

The controller is responsible for ensuring compliance with the data protection legislation, including the fundamental data protection principles established in the General Data Protection Regulation (the "GDPR") of lawfulness, fairness and transparency. Controllers are accountable for complying with these principles, including ensuring purpose limitation, establishing legal basis for processing of the data, limiting the amount of data collected and only for the necessary time period (data minimisation), and implementing "privacy by design". Controllers are also responsible for providing transparent information to individuals about their personal data as well as for the compliance of their processors. Controllers must also ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making. It is these rules which will, in practice, regulate the way in which the data collected through use of contact tracing apps is handled rather than concepts of "ownership" of the data being collected.

In relation to the NHS COVID-19 contact tracing app, the controller must, amongst others, decide:

• what exactly the purpose for collecting and processing the personal data is;
• who will the data be shared with and under what conditions; and
• how long will the data retained for.

To ensure transparency, increase public confidence in the solutions adopted, and provide independent oversight, some have called for the above to be enshrined by way of primary legislation that would offer assurance about the privacy protections for any data collected⁸. The UK Government has not announced its intention to introduce such legislation yet but a draft Private Members Bill has been sent to the Leader of the House of Commons.

The ICO has also been actively engaged in the discussions around the NHS COVID-19 contact tracing app and made its statements about it public. Similarly, the European Data Protection Board and the European Commission have published guidelines on the use of data in the context of the COVID-19 outbreak. These provide a good starting point for organisations thinking about using data to combat the COVID-19 pandemic.

Whether the controller is the Department of Health and Social Care, the NHS, local authorities, academic institutions, or private companies, it is important for any controller who processes personal health data in the context of COVID-19 pandemic to engage with the data protection concerns and  be transparent with the public about the data protection safeguards adopted. Compliance with the data protection legislation , rather than analysis of who "owns" this personal data is the key legal concern. Compliance with data protection legislation will  also engender public trust and confidence  in the way organisations use  personal health data to combat the COVID-19 pandemic.