Although data protection and privacy may not be the first things that come to mind when considering how best to wage war against COVID-19, organisations that collect and use personal data and special categories of health-related data to try to combat this gravest of threats to public health should also consider how to ensure that their activities in this regard are reasonable and proportionate in the light of applicable data protection legislation.

It is clear that the worldwide fight against coronavirus is leading to the collection and use of data in new and unusual ways.  For example, software applications which help authorities monitor who app users have come into contact with are being used in some countries (e.g. Israel and South Korea), while certain European mobile network operators have reportedly offered to make anonymised data about users’ movements available to try to pinpoint areas where COVID-19 may be most likely to spread. In the UK, a number of apps to help address the pandemic, which will collect and use various types of data, are being launched. 

The UK Information Commissioner’s Office (ICO) has made clear that it recognises the powerful public interest at this time of global emergency, observing that data protection and electronic communications legislation does not prevent the Government, the NHS, or other health professionals from sending public health messages to individuals, using the latest technology to make safe and quick consultations and diagnoses easier, or collecting and sharing personal data to defend against serious threats to public safety.  

Having said that, care should be taken to ensure that the collection and use of personal data for these purposes does not have unintended consequences, such as the use of such data for unrelated purposes, or the retention of such data for unjustifiably long time periods.

The loss of a degree of privacy to help counteract the spread of COVID-19 is likely to be seen by many as a sacrifice worth making, at least in the short term.  However, data controllers should take care to ensure that use of personal data in these circumstances does not become excessive and unjustifiable and should be mindful of the dangers of allowing extraordinary measures implemented in the context of the current pandemic, to become the new normal regarding personal data.