The Information Commissioner has published her official Opinion on the Contact Tracing Framework being developed by Apple and Google. This opinion should be read with care with its stated limitations taken into account, in particular the fact that it is limited to the Framework itself and does not extend to Apps developed using it. It also only applies to phase 1 of the project and a more expansive phase 2 is already envisaged.

The Commissioner reaches the conclusion that the Framework is aligned with the principles of data protection by design and by default but it is still clear that there are a number of potential data protection risks which could arise from the way in which it is used, in particular if an app processes data outside the intended scope of the Framework. The Information Commissioner’s opinion highlights the risk that users of a contact tracing app might not understand that the data protection by design and by default principles used in the Framework do not extend to all aspects of the app.

Most current proposals for contact tracing apps would rely on consent as the lawful basis for processing and the Commissioner points out that it is not yet clear how consent management will work or what the practical implications of a withdrawal of consent are.

To my mind, the biggest risk to the privacy of individuals would potentially be from ‘scope creep’ which describes the way in which it is possible that third party app developers will expand the use of Covid-19 tracing apps using the Framework beyond that original stated purpose. The Commissioner mentions this in her Opinion and reassuringly says she will monitor all developments.