Question to the Department for Digital, Culture, Media & Sport:

To ask Her Majesty's Government whether, to help protect the privacy of the public in using the proposed COVID-19 tracking app, they plan to bring into force immediately sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.

Existing law and NHS standards set out a framework of protective measures to ensure the app is legally compliant and meets the standards expected to keep data secure and confidential. This includes GDPR and the Data Protection Act 2018, and the Common Law Duty of Confidentiality in cases where data is provided that might identify an individual.

The data protection legislation provides the Information Commissioner with a range of enforcement powers to ensure organisations comply. As well as significant financial penalties for non-compliance, the 2018 Act includes a range of criminal offences for the very worst breaches of the legislation. This includes the offences of unlawfully obtaining data and re-identifying personal data that has been pseudonymised without lawful excuse. We are satisfied this provides a comprehensive framework and have no plans to increase the maximum penalties of any offences under the Act.

Sections 77 and 78 of the Criminal Justice and Immigration Act 2008 related to the historic offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998. That offence and the relevant provisions in the Criminal Justice and Immigration Act were repealed by the Data Protection Act 2018.