Privacy – UK Government assessment

Progress assessment

Limited progress

There have been legal or policy changes to improve human rights protections but very limited evidence of sustained improvements in the enjoyment of human rights on this issue

Recent legislative and policy changes have introduced certain new safeguards on data protection, surveillance and data retention, but concerns remain about the adequacy of the legal framework. New digital technologies (such as automated facial recognition technology), data use and data sharing pose particular challenges to privacy rights, and the UK Government’s response to the coronavirus pandemic raises new privacy concerns.

  • The UK Government’s response to the pandemic has given rise to various privacy concerns, including proposals for the NHSX contact tracing app for England to store data on a central server – in June 2020 the UK Government reversed these proposals and announced plans to adopt a decentralised model, providing greater protection against abuse of data.
  • In July 2020, following a legal challenge, the Department of Health and Social Care admitted to launching the NHS Test and Trace service for England without carrying out a Data Protection Impact Assessment (DPIA) addressing all aspects of the programme – a DPIA has since been published but concerns remain about aspects of the contact tracing system.
  • The use of automated facial recognition in policing, and its impact on privacy rights, has become an increasing concern in recent years. In August 2020, the Court of Appeal found that there were ‘fundamental deficiencies’ in the legal framework governing the use of automated facial recognition, and that its use was in breach of privacy rights, the Data Protection Act 2018 and the Public Sector Equality Duty – the judgment is not being appealed.
  • There are concerns about essential public services, such as the police and NHS Digital, sharing data with the Home Office for immigration enforcement purposes – as well as interfering with privacy rights, fear of data-sharing is likely to deter migrants from accessing healthcare and other essential public services.
  • Parliamentary committees have raised concerns about the privacy implications of private companies’ collection and use of online personal data, including data sharing without the subject’s knowledge, and the use of personal data for political campaigning. While the UK Government has taken steps towards regulation, breaches of data protection were excluded from the scope of its Online Harms White Paper, a decision which was critiqued by the Information Commissioner.
  • While the Investigatory Powers Act 2016 introduced certain new safeguards, concerns remain about aspects of the UK’s surveillance and data retention framework. These include the fact that the targeted acquisition and disclosure of communications data remains partly outside of judicial control, whether bulk data collection and retention is compliant with EU law, and the complexity caused by the continued parallel operation of the Investigatory Powers Act 2016 and parts of the Regulation of Investigatory Powers Act 2000 (RIPA).
  • In 2018, following a legal challenge launched in 2013, the European Court of Human Rights ruled that the regime under RIPA violated the rights to privacy and free expression under the European Convention on Human Rights – the case was referred to the European Court of Human Rights Grand Chamber in 2019 and is awaiting judgment.
  • Safeguards in the Investigatory Powers Act 2016 were weakened by the Coronavirus Act 2020, including giving the Home Secretary the power to increase the lifespan of an urgent warrant from 5 to 12 working days, although such powers are time-limited.

Read more about the UK Government’s actions on privacy.

The assessment was made based on the evidence available up to 15/09/2020