See below for the latest Data Blast from our legal team: UK Test and Trace scheme may face legal challenge; Belgian school board failed to obtain parental consent for survey of under-13s; Guidance from European Board on data collection when reopening national borders; Iconic Canadian coffee chain in hot water over location tracking data...

Privacy group launches legal challenge to NHS ‘Test-and-Trace’ scheme over data protection concerns

A digital rights group has threatened to launch legal proceedings over the alleged mishandling of the personal data of over 150,000 people enrolled in the Test and Trace Scheme. Under the Scheme, which began on May 26th 2020, contract tracers are tasked with calling people who have tested positive for coronavirus, and asking them to confirm who they have been in close contact with in the two weeks prior to their diagnosis. The data being collected also includes date of birth, sex, NHS number, email, telephone and details of any Covid-19 symptoms experienced.

The Open Rights Group (ORG) has sent a pre-action letter to the Health Secretary Matt Hancock and the Department of Health and Social Care (DHSC) setting out its concerns, and has said that it will seek to commence a judicial review unless the government completes a full review of how personal data is being handled under the Scheme by July 8th.
It is understood that the ORG has particular concerns after Public Health England stated that it would retain personally identifiable data of those who test positive for Covid-19 for 20 years. The ORG is concerned that any retained personally identifiable data could be subsequently obtained by the Home Office, or other government departments for immigration or other purposes.

Jill Killock, ORG’s executive director, has said that “the Government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control.”

The ORG has also raised specific concerns that the Department of Health has failed to conduct a proper Data Protection Impact Assessment (DPIA) as required by Article 35 of the General Data Protection Regulation (GDPR), where the envisaged data processing is likely to result in a high risk to the rights and freedoms of individuals. It appears the government accepts a DPIA was necessary, and indeed some aspects of the Scheme were subject to DPIAs, but ORG maintains that that approach was not compliant with the GDPR and has therefore demanded full details of the government’s consideration of the privacy impact of the Scheme.

This news comes as a reminder that even during the extraordinary time of a pandemic, data controllers must be mindful of their obligations under the GDPR and the Data Protection Act 2018, before and during the collection and processing of any personal data. Not only is proper handling of personal data a legal requirement, it may also affect the trust and confidence that individuals have in an organisation, whether that be a public agency or private business.

Belgian DPA finds schoolboard in violation of GDPR

On June 16th, the Belgian data protection authority (Belgian DPA) found that a Belgian schoolboard had violated the GDPR principles of data minimisation and transparency, and had unlawfully processed data by failing to gain parental consent for a ‘well-being’ survey circulated to students.

The schoolboard in question sent the survey to its first-year students (12 years of age) through the Smartschool system. Shortly after doing so, a complaint was made to the Belgian DPA that the survey did not require parental consent, lacked sufficient information, and that data minimisation had not been properly applied, as students were asked about their classmates and bullying without having their identity anonymised. The complaint also alleged that the schoolboard should have carried out a data protection impact assessment (DPIA), but had not done so. The schoolboard responded by stating that parental consent was not required, as another legal basis (processing necessary for compliance with legal obligations) applied, that sufficient information had been provided, and that no special category personal data was being processed. However, the schoolboard submitted that future surveys would based on well-being questionnaires approved by the Flemish Education Inspectorate, in order to respect the principle of data minimisation.

Accordingly, the Belgian DPA had several data protection questions to consider. First, whether the legal basis for the schoolboard’s processing fell under Art.6(1)(a) (requiring consent) or Art.6(1)(c) (processing necessary for compliance with legal obligations) of the GDPR; and if the consent was required, whether parental consent was necessary given the age of the students. Second, whether the schoolboard failed to comply with the principles of transparency and data minimisation. Third and lastly, whether the schoolboard required to carry out a DPIA.

In answering the first question, the Belgian DPA concluded that, as the students were under 13 years of age, processing is only lawful under Art.6(1)(a) and that parental consent is thus required. Accordingly the schoolboard had infringed Art. 8 of the GDPR by failing to obtain parental consent. Regarding the second question, the Belgian DPA found that the schoolboard had failed to meet its obligations under the data minimisation principle (by failing to anonymise student data) and transparency principle (by failing to demonstrate that pupils were adequately informed). However, in assessing the third question, the Belgian DPA were satisfied that there was no obligation on the schoolboard to have carried out a DPIA, as there were relatively few data subjects and there was a low risk to their rights and freedoms.

Interestingly, while the complainant argued that the schoolboard should have informed parents of the survey in advance, the Belgian DPA disagreed, stating that Art. 8 only requires parental consent, and does not provide for transparency measures addressed to the individual providing consent. This calls to question the exact extent of consent that parents must provide on behalf of their children.

EDPB releases statement regarding the reopening of European borders

On June 16th, the European Data Protection Board (EDPB) issued a statement concerning the personal data processing issues arising from the reopening of EU borders.

In light of EU borders re-opening after the initial coronavirus lockdown, countries are putting in place measures to limit movement of people into and within their borders, including Covid-19 testing, voluntary contact-tracing apps, and requiring health professional certification, all of which require the processing of personal data. Accordingly the EDPB statement reminds Member States that these measures cannot erode individuals’ fundamental rights and freedoms (including individuals’ data protection rights), and stresses that all Member States must employ a common approach when assessing whether certain processing is necessary for slowing the spread of the virus. Importantly, any such activities should meet the GDPR requirements of proportionality and necessity, and should have a strong scientific basis.

The EDPB statement lists certain GDPR requirements which must be considered in relation to such processing, including:

  • Lawfulness, fairness and transparency: Processing must be transparent and fair towards data subjects and have a proper legal basis;
  • Purpose limitation: The purpose for processing should be specified for every data controller, and be limited to combatting the spread of the virus;
  • Data minimisation: Member States should only process data that are adequate, accurate, relevant and limited to what is necessary regarding their defined purpose;
  • Storage limitation: Data must only be kept for a short period, and no longer than is necessary;
  • Data security: Member States must implement technological and organisational measures to ensure an appropriate level of data security;
  • Data protection by design/default and DPIAs: Member States should implement data protection by design and by default, and carry out a DPIA where applicable;
  • Sharing of personal data: Data processing agreements should be in place when data is shared with processors, and the parties’ responsibilities should be clearly defined;
  • Automated individual decision-making: The decision to allow or deny entry to a country should not be determined only by the relevant technology (i.e. there should be a right human intervention in the process), and should include suitable safeguards.

Finally the EDPB stressed the importance of prior consultation with national data protection authorities, where Member States process data in the context of limiting the spread of the coronavirus.

Iconic Canadian coffee chain facing investigation over mobile app

On June 29th, it was announced that Tim Horton’s is under investigation by Canadian privacy authorities, after reports suggested that its mobile app may be collecting and using excessive user location data.

The Office of the Privacy Commissioner of Canada, as well as the provincial privacy authorities of Quebec, British Columbia and Alberta, announced plans to investigate whether the company’s app complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the security of consumer’s personal data in Canada. Earlier in June, a report by the Canadian Financial Post explained that when one of their writers requested his data from Tim Horton’s under PIPEDA, he found that the app was keeping a log of all of his movements, even when the app was not in use.

In a statement, the federal Privacy Commissioner’s office announced that it will determine where the company, ‘is obtaining meaningful consent from app users to collect and use their geolocation data for purposes which could include the amassing and use of detailed user profiles, and whether that collection and use of the data is appropriate in the circumstances.’
A spokesperson for Tim Horton’s has said it will cooperate with any investigation, but that it disputes allegations that their app is collecting data in a way users were unaware of, stating that since the app was launched, ‘guests always had the choice of whether they share location data with us, including ‘always’ sharing location data — an option offered by many companies on their own apps.’ However, Tim Horton’s acknowledged that they have updated the app to limit location data collection to take place only while users are actively using the app, or where they have selected always to share their location data.