Privacy – UK Government assessment

Recent legislative and policy changes have introduced certain new safeguards on data protection, surveillance and data retention. However, questions remain about the adequacy of the legal framework and the privacy implications of forthcoming legislation. New digital technologies (such as automated facial recognition technology), data use and data sharing pose particular challenges to privacy rights, and the UK Government’s response to the coronavirus (COVID-19) pandemic has had new privacy implications.

• The UK Government’s response to the COVID-19 pandemic and contact-tracing programme has given rise to various privacy concerns. In July 2020, following a legal challenge, the Department of Health and Social Care admitted to launching the NHS Test and Trace service for England without carrying out a Data Protection Impact Assessment (DPIA) addressing all aspects of the programme. A DPIA has since been published but concerns remain about aspects of the contact-tracing system.
• There are concerns about essential public services, such as the police and NHS Digital, sharing data with the Home Office for immigration enforcement purposes. As well as interfering with privacy rights, fear of data sharing is likely to deter migrants from accessing healthcare and other essential public services.
• The use of automated facial recognition in policing, and its impact on privacy rights, has become an increasing concern in recent years. In 2020, the Court of Appeal found that there were ‘fundamental deficiencies’ in the legal framework governing the use of automated facial recognition, and that its use was in breach of privacy rights, the Data Protection Act 2018 and the Public Sector Equality Duty. In its June 2021 opinion, the Information Commissioner’s Office highlighted concerns regarding the privacy implications of facial recognition systems and noted that they may ‘lead to unfairness in the form of discrimination and bias’.
• Provisions of the Police, Crime, Sentencing and Courts Bill governing the use of digital information extraction do not include sufficient safeguards, and the duties and powers in the draft Online Safety Bill could undermine protections for users’ data.
• In June 2021 the UN Special Rapporteur on the right to privacy noted that the UK has improved its oversight regime in recent years ‘to provide resourcing capable of meeting the task of ensuring that interference with privacy is only permitted if necessary and proportionate in a democratic society’.
• However, concerns remain about aspects of the UK’s surveillance and data retention framework. These include the dual role of the Investigatory Powers Commissioner in both authorising surveillance and providing oversight of its conduct, and whether bulk data collection and retention is compliant with EU law.
• In May 2021, following a legal challenge launched in 2013, the European Court of Human Rights Grand Chamber ruled that the UK’s former bulk interception regime under RIPA breached the rights to privacy and free expression under the European Convention on Human Rights and Fundamental Freedoms. This ruling has implications for the current regime under the Investigatory Powers Act 2016.
• In June 2021, the EU Commission found that the UK’s law and practice on personal data protection ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulationand the Law Enforcement Directive, following the UK’s exit from the EU.