As the coronavirus crisis continues, governments are rightly concentrating on slowing down the spread of the virus and ensuring that hospitals and other vital services are not overwhelmed.
But, as time goes on, thoughts will inevitably turn to what happens once the initial wave of the virus has dissipated. One possible outcome, in the absence of a vaccine, is that the current restrictions on social distancing will be relaxed once cases drop or disappear, only to be reintroduced repeatedly as the virus reappears or is reintroduced from other countries.
If we are to respond better to a second wave, we will certainly need much better access to information. We already know the importance of acting quickly to test, isolate cases, trace contacts and quarantine potential carriers.
These actions appear to have worked in some countries, such as South Korea, where the initial outbreak was brought under control with greater success than in European countries. They were also part of the UK government’s original ‘contain’ strategy, before we moved to a broader ‘delay’ phase.
Countries in South East Asia, such as Singapore, South Korea and China, have taken the lead in using technology for contact tracing and quarantine enforcement. This has included widespread surveillance of the population using mobile phone data.
It is reported that the US has been in talks with the major internet companies to utilise similar technology, and various countries in the EU are also considering adopting new measures. What might these look like, and what are the possible privacy implications?
Location data from mobile phones can provide authorities with valuable information about how and when people move around and who they interact with.
Apps have also been developed which use Bluetooth to automatically log details of individuals whose paths intersect, which can then be used to trace contacts, such as people who sat in the same carriage on a train. Although these seem like promising sources of information, they inevitably give an incomplete picture.
Not everyone carries a mobile phone, for instance, and not everyone will download and use specific apps. Nevertheless, we know this technology is already being used in some countries, usually on a voluntary basis, although the BBC has reported on a case of quarantine being enforced in Taiwan using mobile phone data. We don’t yet know enough to judge whether they have been successful in slowing the spread of coronavirus.
In Europe, there are much stricter rules around surveillance and the use of personal information, as well as specific limitations on the use of mobile phone location data. The European Convention on Human Rights gives individuals a right to privacy.
This is not an absolute right, and it may be interfered with by government where it is necessary to do so for public safety or the protection of health. Innovative approaches to data collection and sharing may well be required during the pandemic, but they need to be properly thought through and proportionate.
Collection of extra data should not be done just because we have the technology to do so, but only if it will actually help in the fight against the virus. Unless a clear link can be established between surveillance technology and halting the spread of the virus, European governments could find themselves open to legal challenge.
European data protection law requires any organisation or government wishing to collect and use information about identifiable individuals to ensure that it is fair and lawful. In practice, this means that governments would need to consider the potential adverse impact on those individuals, and to weigh up the benefits of any mass surveillance solutions against the resulting loss of privacy.
Of course, we are all getting used to some very severe new limits on other rights we would usually take for granted, such as our freedom to move around and to meet our family and friends.
At this moment in time, most would agree that the benefits of stopping or at least slowing the spread of the virus are worth the limits on our normal rights. But these restrictions are very clearly temporary, and will be lifted once the immediate threat is over. The fear with surveillance technology is that, once governments have access to such useful data about their citizens, they won’t want to give it up.
One solution to these issues may be to use anonymised information. Truly anonymised information cannot be linked to identifiable individuals and so does not raise the same privacy concerns, but it may still provide crucial intelligence about the potential spread of the virus.
In the UK, the NHS is already using anonymised data to model potential virus hot spots and allocate resources accordingly. An example of anonymised information is aggregated location data from mobile phones. This could be used to track journeys and better understand where the virus may appear next.
Use of location data is subject to specific rules and generally can only be used anonymously. But in the age of big data, where so much information is available about all of us, there are legitimate concerns that location data is not really anonymous and can be easily used to identify individuals.
Most of us would agree that we should be using all available tools to combat the coronavirus pandemic, to minimise the loss of life and protect the most vulnerable in society. This may include the use of surveillance technology, but only if it can genuinely be shown to make a real difference. However, as with the restrictions on our other rights, we should expect our right to privacy to be only limited when it is necessary to do so. A pandemic should not be used as an excuse to erode fundamental rights.
By Jon Belcher, commercial lawyer with Blake Morgan
Jon Belcher is a commercial lawyer with Blake Morgan, specialising in information governance, data protection compliance, information sharing and freedom of information issues. Jon has wide experience of drafting commercial agreements, with a specific focus on data sharing and processing agreements.
He has advised on the data protection implications of large commercial transactions, including major public sector procurements, complex data export arrangements and direct marketing campaigns. He also acted as lead advisor to clients in the media and utilities sectors in respect of GDPR compliance, and is regularly instructed by public sector bodies and charities in Wales and England on data protection matters.
About Blake Morgan
Blake Morgan is a UK law firm providing a breadth of legal services across the private, public and third sectors with a strong regional presence across southern England and Wales. The firm has six offices: Cardiff, London, Oxford, Portsmouth, Reading and Southampton.
With a long heritage and committed client base, the firm’s partners and teams provide a depth of expertise in their key sectors. The firm aims to deliver exemplary service to its clients and to make a difference through teamwork, integrity and innovation.