Are Digital Health Passports the Key to Unlocking UK Stadiums? The Data Privacy Perspective
The ban on mass gatherings in order to combat the spread of COVID-19 resulted in the cancellation or postponement of sporting fixtures and live events globally. This includes the English Premier League that had to postpone all fixtures following the lockdown.
On 10 May 2020, Boris Johnson announced that, as part of the UK government’s three-stage strategy to lift the lockdown, sporting fixtures would be able to resume no earlier than 1 June 2020. The outcome of the Premier League’s recent ‘Project Restart’ discussions is that (in line with many other sports) games will resume behind closed doors for the foreseeable future.
With sports clubs and other live event venues desperate to re-open the doors to stadiums in order to restore much needed revenue and with fans keen to return, the key question is how can they orchestrate a staged return to some form of normality, whilst maintaining safety for fans and the wider community? As with many other parts of the economy, technology is likely to play a key part in the solution to re-invigorate the sports and entertainment industry.
UK-based cyber-security firm, VST Enterprises Limited (“VSTE”) (along with its marketing agency partner, Redstrike), has reportedly developed a ‘digital health passport’ app. Once the end-user has signed up for the app, they will take a Rapid COVID-19 test (developed in conjunction with several biotech companies), administered by a health professional. The results will then be geo-fenced to a specific location, which may mean that the end-user will have to take several different tests to gain admission to other locations. End-users will receive either a red (positive) or a green (negative) result. The app will also contain a timer, counting down the time until the end-user needs to take another test, re-certifying their status. If an individual has tested negative, they will be entitled to purchase tickets for a game or other live event. The individual will then be provided with a “vcode” that will need to be scanned prior to stadium entry. Once a vaccine becomes available, a customer that has had the vaccine will be able to update their health passport to provide permanent proof that they are virus-free.
This app is an innovative way to allow stadiums to be unlocked to fans, whilst maintaining the fight against COVID-19. However, it also raises a number of data privacy issues that will need to be carefully considered prior to its roll-out.
UK data protection laws (the GDPR 2016/679 and the UK Data Protection Act 2018) require any app processing personal data (data about individuals) to be designed to respect the privacy of individuals and to comply with a number of specific obligations under data protection laws.
In order to collect, process or share personal data, organisations must have a lawful basis in place. In order to process special category personal data, an additional condition must be identified and satisfied under the GDPR/Data Protection Act 2018.
Explicit consent may well be considered an appropriate lawful basis here for the processing of the health data. In order for the consent to be valid under data protection laws, it must be specific, informed, freely given and provided by way of a clear statement. As individuals will be required to provide information about their health status in order to purchase tickets to a match and gain entry to the stadium, it is questionable whether their consent will be ‘freely given’. The European Data Protection Board has updated its guidance on consent, which provides some further clarity on the ‘conditionality’ of consent (i.e. requiring the provision of health data in order to purchase ticket). The guidance stipulates that conditional consent will only be acceptable in exceptional circumstances.
Data Protection Impact Assessment (“DPIA”)
Before any roll-out of the app, UK data protection laws require a DPIA to be carried out, due to the use of health data on a large scale. This assessment must evaluate whether the proposed processing of personal data is necessary and proportionate in order to achieve the intended objectives and whether any high risks to users can be sufficiently mitigated.
For example, one risk is that the data processed via the app could be inaccurate, as an individual could catch the virus in the interval between being tested and attending an event. To deal with this, the app requires users to be regularly tested for the virus and includes a timer, which counts down how long it is until the individual needs to be re-tested, thereby increasing the accuracy of the data. If any high privacy risks cannot be mitigated, consultation with the data protection regulator, the ICO, will be required.
If a positive COVID-19 result would automatically preclude a fan from purchasing a ticket to a football game or other event, the provisions which regulate automated decision-making under the GDPR may apply. Individuals have the right not to be subject to any decision (which has a legal or similarly significant effect) based solely on automated processing, subject to limited exceptions. Automated decision-making, which involves the use of special category data, such as health data, is greatly restricted. Potentially, it can be undertaken on the basis of the explicit consent of the user (noting the above concerns), as the user would upload their health data to the app. This is subject to suitable safeguards being in place to protect the user.
Data protection by design and default
As this app will process health data about individual customers (namely their COVID-19 status), the privacy stakes are raised, increasing the importance of ensuring that compliance with the core data protection principles is embedded into the design of the app. The app’s default settings must ensure that the scope of the personal data processed via the app, as well as the use of, access to and retention of personal data are strictly limited to what is necessary in order to combat the spread of COVID-19. Privacy should sit alongside security and due to the sensitive nature of the personal data being processed; strong end-to-end security measures should be put in place.
Sharing of personal data
The use of apps to track the spread of COVID-19 is widespread outside the UK and will soon be rolled out here in the form of the NHSX contract-tracing app. In another blog about the government’s proposed use of personal data during the pandemic crisis, we highlighted that the government had clearly set out exactly whom it was collaborating with to provide the data store. The purpose of the partnerships and subsequent transfers were justified. The same considerations apply here and personal data should only be shared with limited numbers of partners for a specific and defined purpose, which will need to be made clear to users in a privacy notice.
There are a variety of privacy concerns related to the use of digital health passports, but UK data protection laws are not intended to stand in the way of innovative approaches to ensure our health and safety and attempts to reopen the economy. It means that privacy should be considered both at the outset and throughout the lifecycle of the app, as there are several compliance measures (detailed above) that will be key to ensuring the success of this approach.
Considering the potential power this digital health passport has to unlock the economy in the live entertainment sector, businesses in other sectors may begin to invest in such technical infrastructure. For example, shopping malls may benefit from this type of app. The transport sector could make use of such a development, ensuring that both staff/operators are safe to be at work and that passengers are safe to travel. Care homes or retirement villages may benefit, as they could ensure that visitors are virus-free prior to entry. More generally, employers may seek to develop such an app, in order to assist with their obligation to provide a safe working environment.