Contact tracing, IoT and privacy: the future of data

Answer

As the global pandemic continues, one thing has become clear: information will be key to controlling the virus. Governments around the world are using data regarding the location, movements and interactions between individuals (ie, contact tracing) as a key component in their virus management strategies. Ensuring that the contact between an infected individual can be traced through the population is integral to limiting the spread of the virus. Information regarding an individual's health can also supplement contact tracing efforts, by identifying vulnerable people who have been in contact with an infected individual.

With the increasing number of goods and services including some form of connectivity, the ways in which such data can be captured have dramatically increased. This is undoubtedly a positive development for disease control and means that public health mitigation efforts can (theoretically) be implemented with great success. However, once we are through this virus and a degree of normalcy returns, some questions will remain: what does this all mean for data usage by governments and businesses in the future? And what challenges will this present for lawyers advising those parties and the individuals about whom the data has been gathered?

Contact tracing

‘Contact tracing’ is basically what it says on the tin: the act of tracing contact between individuals. The term will be familiar to those following the news around covid-19; it is the concept underpinning the NHS' proposed CV19 app and other similar apps developed by governments around the world (eg, the COVIDSafe app in Australia). These contact tracing solutions use a smartphone's location and data services to track where a person has been. If it is then subsequently discovered that a person is infected with the virus, authorities can easily identify other individuals that the infected person made contact with during the time they were potentially infectious via the data captured by the app (provided those other individuals also have the app installed).

Much has been made in the media around concerns regarding contact tracing (see the BBC's explainer here, and some contrasting perspectives here and here). However, contact tracing itself is by no means a novel innovation in the response to covid-19 – tracing the prior contacts of an infected individual is a tool that has been used for many years by public health agencies and is still commonly used around the world. The difference between the traditional approach and the new technological solution is that information regarding the individual's contacts would have been gathered only by an interview (based on the recollection of the individual or their next of kin), rather than by automatic technological means. Contact tracing in response to covid-19 is therefore no more pernicious than it was, or is, in other public health emergencies.

This is not to say there are no privacy concerns with contact tracing when used in app form. The privacy issues about contact tracing via technology can be boiled down to the following broad questions:

• What information is gathered?
• How is it stored?
• How can it be used?

The contrasts between traditional contact tracing and the technological form become evident by answering the above questions; a key difference with an app being that a person's contact is not traced after the point of diagnosis but rather as an ongoing measure. The discussion around what information is captured and the security of its storage is therefore an important one for both the authorities looking to implement these solutions (and their private sector contractors) and the individuals concerned. The Information Commissioner Elizabeth Denham recently released a blog article covering some of these issues (available here) and the Information Commissioner's Office (ICO) released a formal opinion on the current batch of contact tracing apps (available here). Data protection lawyers are likely to be involved in all stages along the journey of these apps, from conception to final release.

For the most part, the focus of this current debate seems to have focused primarily on data capture and storage in the immediate term. Yet as recognised in point six of Denham’s blog post, a key concern is: how will this data be used when this is all over? This is harder to predict. In some ways, this question is just as applicable to a broader trend in goods and services and how they are provided to the public now and into the future.

IoT and big data

The debate regarding data and its use in this time of pandemic is happening in the context of a larger and slower, but perhaps even more pervasive, shift towards constant interconnectivity and data capture. The information usage in this context is indicative of a wider movement towards the capture of information on everything from location data, to energy usage, to consumer purchasing preferences. Public and private organisations can now more easily gather and use information than ever before, for both altruistic and commercial purposes. The resulting data flows include both information relating to individuals (in some cases comprising personal data) and aggregated anonymised/pseudonymised information (big data).

One increasingly important data source is the 'Internet of Things' (IoT). The term refers to the system of interconnected devices that can capture and transfer information of a network (ie, 'things' rather than just 'computers'). Examples of this technology are everywhere and include those that are easily identifiable as members of the IoT (eg, voice-controlled smart speakers) and those less identifiable (eg, thermostats and light fittings). The information captured by these devices can range from the relatively simple, such as usage time/frequency of a product, to the complex, such as specific consumer purchasing preferences. That information is captured and transferred from these 'things' over the Internet to the manufacturer or service provider.

The usage of data is the important point here. In most cases, consumers will happily accept – or 'consent' – to the terms and conditions of a product when installing an app or using a good. With the click of a button, a business ostensibly has the authority from the customer to capture and use a whole range of data points from the end use of its products/services. This information can act as a real-time indicator of marketing success and can feed into current and future product/service development. And the insights obtained are useful for more than just good manufacturers – smart metering of electricity and gas supply is an example of how data capture may have tangible benefits for consumers and the environment (see here). Information can even be aggregated and commodified and itself sold as a product (much like social networks already do).

Businesses that manufacture, market and sell these devices are already aware of the privacy issues surrounding them. And if they aren't, they should be (see the ICO's view here). However, while many people own and use such devices, few will understand the particular privacy considerations behind them.

This is where the debate regarding contact tracing may be felt most – it provides a practical and real-world example of how data capture can affect the everyday lives of the public. The privacy questions regarding contact tracing are equally applicable to the use of a smart phone app that keeps a log of all locations visited by its user, and to the use of a fridge which keeps track of all the items purchased by its owner. As individuals become more aware of the use of their data in the way envisaged by innovations such as contact tracing and the IoT, the businesses that use the data must be clear on their rights and responsibilities in doing so. Legal representatives advising all parties in the chain will accordingly need to become equally versed in privacy law as it relates to their clients' rights and obligations.

Privacy law and privacy literacy

You may ask: "That's all well and good, but where is the law in this?". At present, the same legal framework regarding data capture and storage applies to all of the above scenarios. In fact, the same framework applies to all forms of contact tracing, whether undertaken by way of an interview or an app. In the UK, that framework is the Data Protection Act 2018, and for the immediate future, the EU's General Data Protection Regulation (GDPR). For the purposes of this article, and incidentally in many commercial agreements, this is referred to as the 'UK Data Protection Legislation'.

The UK Data Protection Legislation is both complex and flexible in its approach to situations regarding privacy and data. On its surface the GDPR can be difficult to navigate, in that it is structured in a way that requires the person who controls the information captured (the 'controller') to make various qualitative assessments around whether:

• the processing of personal data is 'necessary';
• certain purposes are 'legitimate'; and
• the gathering/processing of that information is being done in a 'transparent' manner.

Such assessments are very context specific and the legality of the use of data in one situation is often not easily analogous to another. It is therefore difficult, if not impossible, to make sweeping statements as to whether a particular technology or data use is ‘legal’ under UK data protection legislation.

The basis on which data is being used in the circumstances of covid-19 is slightly clearer. Article 6(4) of the GDPR provides that personal data may be processed for further incompatible purposes on the basis of an EU or member state law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), such as public health emergency.

Similarly, data capture by IoT and the differences between treatment of anonymised and pseudonymised data are also clearly addressed in the UK data protection legislation (see Article 4(5) and Recital 26 of the GDPR). Beyond those headline points is where it becomes more complicated (in particular on the role and quality of consent, the rights of data subjects and controller/process relationships).

On a broader level, Article 5 of the GDPR (which sets out the principles relating to processing of personal data) and in fact the whole of Chapters 2 and 3 of the GDPR are good starting points for those looking to familiarise themselves with the intention and scope of UK data protection legislation as it relates to the issues discussed above. It is of course beyond the scope of this article to explore the application of that framework to contact tracing and the IoT in detail. Suffice to say that future (and current) commercial lawyers should note the increased likelihood of being presented with these questions in their daily practice, as these tools become ubiquitous in modern goods and services. Having a general familiarity with data protection, even if you do not intend to specialise in the area, is likely to pay off in the long run.

Kurt Wicklund is a commercial and energy associate in the commercial team at Michelmores LLP.