Data Ownership And Contact Tracing

• Published date: 01 June 2020
• Author: Mr Mark Prinsley and Oliver Yaros
• Subject Matter: Privacy, Coronavirus (COVID-19), Data Protection, Privacy Protection, Reporting and Compliance
• Law Firm: Mayer Brown

Who owns the data about individuals collected by the UK Government, NHS, academics and private companies in context of the COVID-19 pandemic such as data from contact tracing apps?

Legal framework

In the UK, there is no comprehensive framework to determine ownership of data, which is not generally understood to be property¹. For example, English judges have held that confidential information is not property which can be stolen² and that it was not possible to exercise a lien over intangible property such as an electronic database³. However, there are laws that regulate and offer protection to certain types of data, such as the data protection legislation or laws relating to copyright, database rights and breach of confidence / trade secrets.

In Europe (including the UK) governments have been keen to encourage sharing of non-personal data to unlock the value of such data and promote innovation⁴ but the collection and sharing of personal data has been strictly regulated.

The data protection legislation in the UK does not designate individuals as "owners" of their personal data but has provided individuals with certain rights (such as the right to be informed, right of access or right to erasure), strengthened the obligations of controllers and processors of personal data, and introduced new enforcement powers.

Contact tracing

Ownership of health data is a particularly sensitive subject. Whilst the current prevailing mood may be one where many individuals are happy to share their personal health data for medical research purposes⁵, contact tracing apps work on the principle of connecting people who are unknown to each other, to each other and to particular locations and times. Significant amounts of data will be captured and in time there may well be concerns about who has this data and the purposes for which it might be used.

Data protection regulators are alert to the risks posed by public institutions sharing personal health data of their patients with the private sector. The UK Information Commissioner's Office (the "ICO") has been previously clear that while data protection laws do not get in the way of innovative use of data, innovation should not be at the expense of eroding legally ensured fundamental privacy rights⁶., The UK data protection legislation imposes strict obligations on controllers, i.e. the persons who determine the purposes and means of the processing of personal data. In relation to the NHS COVID-19 app, it has been announced that the...