The Information Commissioner's Office (ICO) issued, on May 25, 2023, a statement in response to the Open Rights Group's (ORG) report, 'Data Privacy and the Information Commissioner's Office During a Crisis,' which finds that the ICO had failed to protect individuals' privacy during the COVID-19 pandemic. In particular, the report analyses both the use of data in the UK under three COVID-19 health programs, namely NHS Test and Trace, the NHS Contract Tracing App, and the NHS Datastore, as well as the future impact of new changes to the UK's data protection law. 

Findings of the report 

The report makes the following findings:

• the ICO repeatedly failed to take action over clear breaches of data protection law by the government, which included a lack of transparency, accountability, excessive data retention, missing and late Data Protection Impact Assessments (DPIAs), and the involvement of private companies without instilling proper safeguards;
• the failings outlined raise concerns that the large datasets created during the pandemic could still be used in new ways in the future; and
• data sharing agreements with private companies during the pandemic allowed such companies to use and access sensitive data from national public health databases. 

Moreover, the report highlighted evidence that the Data Protection and Digital Information (No.2) Bill should not be adopted since:

• it would further undermine the independence of the ICO; and
• it presents a threat to the UK's data protection framework at a time when data governance and accountability requirements need to be tightened and stronger General Data Protection Regulation (GDPR) complaint mechanisms should be in place. 

The ICO's response

The ICO expressed that it does not share the views outlined in the report, noting that its priority during the pandemic was to help organizations understand how data protection law could facilitate action in a time of emergency. 

You can read the ICO's statement here, the ORG's press release here, and the report here.