I have just arrived back home from an essential tube journey on the Northern line to the newly opened station at Nine Elms. On the seat opposite me, I found one page of minutes which looks like a record of a meeting in the American Embassy discussing the post-COVID19 environment and what passengers to the USA can expect on arrival after Easter (when President Trump hopes the pandemic in the USA will be over).
The minutes identify two types of passenger arriving at an USA airport, post Easter. Passengers who have recovered from the virus and who are also non-contagious (type 1), and those who have not been exposed (type 2). The risk of a second wave for COVID19 infections in the USA in the Fall (around Presidential election time) arises from the latter group (i.e. it does not arise from the recovered and non-contagious group).
The USA proposes that each visitor when they apply for a Visa will be allocated an email address of the form: passport number dot two/three letter passport nationality@usaborders dot gov. For example [email protected] would be a visitor from the Mexico with passport number 1234.
The minutes note (wrongly) that the avoidance of the use of the passenger’s name makes the passengers impossible for others to identify from the email address information; it concludes that Personal Identifiable Information (PII) is not being processed. This error might cause problems with GDPR compliance but the minutes do not say anything on this topic.
The idea is that the visitor’s email address (e.g. [email protected]) is put in the subject matter of an email send by USA Borders to the UK’s Passport Office that issued the passport to the passenger. The Passport Office systems will have to obtain the functionality to respond to such emails with one line response: “CAN” or “CAN’T”.
The CAN response means the visitor can enter the USA without restriction as the national passport agency certifies that the holder of passport has recovered from virus and is non-contagious.
For the UK, this implies that the UK Passport Office (i.e. the Home Office) can access the COVID health status of passport holders. Powers in the Coronavirus Act 2020 will have to be used to achieve this data sharing objective; powers that do not have much in the way of Parliamentary scrutiny.
The minutes record that the use of CAN and CAN’T has amused the President as most MexiCANs will have the status of (MEXI)CAN’T; this reinforces that Wall the President is building to protect the USA by keeping out aliens.
Those passengers who are in the CAN’T group will be refused entry. They will be offered a choice: fly back home or self-isolate for seven days. President Trump has suggested the use of his hotels for this self isolation; the minutes note that there is no conflict of interest because everybody knows that the President owns several hotels.
Those self-isolating will have to have their mobiles on all the time so they can be tracked by GPS; any movement or proximity to other phones can thus be identified. They might be required to download an app to facilitate tracing. Repeated proximity within the self-isolation period (or turning the phone off) can lead to immediate repatriation.
Finally, the minutes deal with the screens, mobiles and laptops which are well known to harbour the COVID virus. The idea is increase the strength of the back scatter X-ray radiation used by airport security to sanitise the equipment.
However, just in case a phone’s electronics are degraded by the X-rays, the arrival airport in the USA will provide a prominent warning and a “free to use” cloud facility, based in the USA, where passengers can upload their photos, SMS messages and contacts just in case the radiation knocks out the equipment’s electronics. No thought seems to have been given to subsequent transfer issues arising for uploading personal data to the USA cloud from a business phone or laptop.
Data Protection and Human Rights Commentary
There has been a lot of commentary relating to data protection and COVID19.
The first comment is that any interference by a public authority does not infringe Article 8(1) of the European Convention on Human Rights. This is because Article 8(2) permits legislation to be enacted by a Parliament process (e.g. the Coronavirus Act 2020) which sets aside the A.8(1) right in limited circumstances (e.g. any interference deemed necessary of “for the protection of health”).
Turning to the GDPR/DPA2018, the processing of personal data will have an Article 6 lawful basis (e.g. candidates are A.6(1)(c) to A.6(1)(f)) and an Article 9 condition that lifts the prohibition on processing of health personal data (e.g. candidates are A.9(1)(c), A.9(1)(g), A.9(1)(i), Schedule 1, paragraphs 3 or 6).
However, the rights are not exempt (e.g. to be informed, of access), nor are the Principles that relate to data minimisation, storage limitation and security. This means the processing: has to be transparent to data subjects; use the minimum personal data in the processing; retain the personal data for the minimum length of time, and has to be secure. I can’t find a general exemption in Schedules 2 to 4 that could apply in these circumstances.
Hope you found the above interesting; happy lockdown to all our readers.
Note: I normally use April 1st for a special blog but this time I have used the genre to illustrate some data protection issues post COVID19
Upcoming Data Protection Courses (in London)
Obviously COVID19 has put a spanner in the training works, but hopefully the following courses will be running from late June (fingers crossed). We have a full set of courses from September
All courses lead to the relevant BCS qualification:
- Data Protection Foundation: July 7-9 (3 days)
- Data Protection Practitioner: July 14-16 and September 8-10
- Data Protection Upgrade Practitioner: June 23-24 (2 days)
Full details on www.amberhawk.com of by emailing [email protected]