The saying ‘unless you have been living under a rock’ has taken on a new meaning in the last few months, with so many of us having been forced to stay at home for such lengthy periods of time. However, unless you really have been living under a rock, you can’t help but to have noticed a lot of discussion around the Government’s, somewhat mythical, track and trace app.
The purpose behind Track and Trace, should it ever appear from underneath its own proverbial rock, is to enable the Government to monitor the spread of the novel coronavirus, to identify any ‘hotspots’ and to alert anyone who may have come into contact with an infected person. One of the key areas of discussion has been around the security, or otherwise, of the personal data that the app will leverage to perform its function.
This discussion has taken on a new level of detail, with the Open Rights Group now claiming that, as the Department of Health failed to undertake a Data Protection Impact Assessment (“DPIA”), the app and, by extension, the Government, does not comply with the Data Protection Act 2018, or the GDPR, and is therefore processing personal and sensitive data unlawfully.
I’m not going to go into the detail as to whether or not the Government is processing data unlawfully (it has admitted that it has failed to complete a DPIA for the app, read into that what you wish), but will take the opportunity to use this as a reminder of the role of DPIAs in assisting in your never-ending mission towards GDPR compliance.
Guidance clearly states that a DPIA must be completed where you are undertaking any processing that is likely to result in a high risk to individuals and where it will involve the processing of personal data. As an example, it would be best to complete a DPIA where you are implementing a new CRM system or are digitising paper records, amongst many other projects.
By completing a DPIA at the outset of a project, or at least before any high risk processing is undertaken, you are much more likely to identify any risks those activities pose to your GDPR compliance which will help you to put in place procedures to minimise, if not eliminate, those risks.
A DPIA is also a very useful document to have should something go wrong as it can be used as part of any evidence submitted to the Information Commissioner’s Office, should they want to have a look at what you are doing and understand how the processing activities may have gone awry. In short, the DPIA actually serves a very useful purpose as a risk management tool for businesses and individuals alike, as well as an integral document required for GDPR compliance.
For help and advice on the applying a DPIA to your activities, or on any area of the GDPR, please contact Matt Jackson or another member of the Commercial Team and we’ll be more than happy to make the never-ending journey that little bit smoother.
For details on the NHS Test and Trace system, please click here.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.