Information Commissioner Elizabeth Denham and Executive Director of Technology and Innovation Simon McDougall are to appear before the Human Rights Joint Committee today. 

While the ICO has circulated guidance on the application of data protection principles during coronavirus, there is an obvious lingering concern as to enforcement of privacy principles during a public health emergency in which 'track and trace' enabled technology offers a gateway (at least in part) out of lockdown. 

Ahead of it's appearance, the ICO has provided a document to the Human Rights Comittee which outlines the ICO's expectations  to support technical design teams (architects, product managers, designers, engineers) in understanding how to apply information rights and data protection by design and default approaches to the technical development lifecycle of COVID-19 contact tracing apps. 

The top takeaways for any app developer?

1. Be transparent about the purpose: Explain if the purpose is only proximity notification or if the purpose is broader, or is likely to expand in accordance with any development roadmap.

2. Be transparent about your design choices: Be clear about the system’s architectural design decisions, how they were made and what risks the approach poses to individual rights. 

3. Be transparent about the benefits: Be clear about the benefits and outcomes your app seeks to achieve, from both your perspective and that of the user.

4.  Collect the minimum amount of personal data necessary: Minimise the data your solution processes to that which is necessary to achieve your purposes.

5. Protect your users: Ensure your app uses pseudonymous identifiers, which are renewed regularly as appropriate to your purposes, and are 4 generated in such a way that risks of reidentification and tracking are reduced.

6. Give users control: Ensure your users can exercise their rights via your app, where these rights apply.

7. Keep data for the minimum amount of time, and, where appropriate, ensure the user has control over this: Store data for the minimum amount of time necessary for your purposes. Explain what that period will be and why.

8. Securely process the data: Apply appropriate cryptographic/security techniques to secure the data, both at rest (in servers and apps) and in transit (between apps and the server).

9. Ensure the user can opt in or opt out without any negative consequences: App use, from installation to sharing of information, should be voluntary with no negative consequences for individuals if they do not take action. 

10. Strengthen privacy, don’t weaken it: Ensure the design of the app does not introduce additional privacy and security risks for the user (for example requiring the phone to be unlocked, or location to be identified).

To watch, visit the Parliament TV webpage.