Close Widget

One of the greatest challenges surrounding data protection legislation is managing the risk vs the potential positive benefit. In the 2008 film, The Dark Knight, Batman uses a technology called echolocation, which uses the microphone on every cell phone to track down the enemy, the Joker (see it in action here). Morgan Freeman’s character, Lucius Fox, comments on how unethical, dangerous, and wrong the technology is since it is a huge breach to the basic human right of privacy. Batman hands over the keys to the system to Fox, who responds by saying: “Spying on 30 million people isn’t part of my job description.” Once the Joker is found, the machine is destroyed.

It is interesting that this is the exact same ethical dilemma facing the governments of the world over the design and use of track and trace technology. As a global society, we have never been more connected with our data, and it has never been so easily collected and analysed. This wealth of easily available data begs the question: why are we not using it to save lives and protect the world economy in the midst of a pandemic?


The answer is that there is a need to balance the rights of the individual and the needs of society. GDPR legislation was introduced to protect privacy and help maintain this balance, in particular, by preventing large organisations from unethically profiting through buying and selling information without regard for the impacted individual. Due to the requirement for explicit consent, GDPR does not allow for passive participation in public health situations, such as the track and trace scheme.


Whilst it is right that GDPR should not be so quickly amended or abandoned in situations like this since it stands as a binding agreement governing how organisations, including the government, should handle our data, GDPR is also standing in the way of a universal system of protection for our society.

The UK Government initially tried to build its own track and trace app, which it announced in April, but then in June, abandoned in favour of solutions provided by Apple and Google. Interestingly the Google and Apple approaches had more of a focus on privacy through decentralising the contract tracing from any central server and instead of storing contact details on the individual’s phone.

The UK Government application had stated an objective to “gather secondary data for use by the NHS and strategic leaders,” which from a privacy standpoint is unacceptably vague. Very few individuals and campaigners would argue against the use of personal data in the specific case of saving lives; however, the concern is whether it works and what happens after.


On the question of whether the risk is worth the reward, there is little evidence that smartphone tracing has worked. The UK Government application trialled in the Isle of White failed to detect 96% of contacts with Apple iPhones. Reports from Singapore suggested people were reluctant to download the app for fear of battery drain. French and German tracing applications have also failed to encourage enough people to download the application. Therefore, when weighing up whether to risk data privacy at all, there is scant evidence to suggest that technology programs have been very successful.

The second issue is in termination of service, what happens to the data after the pandemic. There is a tendency for organisations and governments to retain data way beyond the initial goals of its collection, ‘just in case.’ The ICO has recommended that any companies involved in developing track and trace solutions ensure that they carefully consider the process of decommissioning as part of the design. The rationale is that this technology and data should be used in a time of crisis and deliberately shut down once that time passes. In the long term, if more organisations considered the full lifecycle of data, including its destruction, this would lead to an increase of data subjects in the premise that whatever they are agreeing to, it has a limited time and a limited scope.

At its core, the problem is participation. GDPR prevents the creation of a program without individual participation and explicit consent, which immediately removes a portion of the population who are simply not aware of available schemes. The third issue is the fragmentation of technology. It is so easy to build an application that the participants who are aware of the scheme are diluted among the many available offerings. The fourth issue is that governments need to be open to working with private companies who know the sector best. And finally, there must be a clear path involving the termination of these projects and what will happen to the data. If not, governments will never be able to gain the trust needed to encourage the wide-scale participation necessary to make schemes effective.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management (IRM) products, Cybersecurity, and Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with IRM solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset.

About Alex Hollis

Alex is VP of Services for SureCloud, responsible for GRC Services and Customer Success. Alex has two decades of experience in information technology, spanning medical informatics, mobile workforce automation, and for ten years focused on governance risk and compliance (GRC). His GRC domain experience spans IT and Operational Risk, Corporate Compliance, Third-Party Risk Management, and Business Continuity. Alex has received industry recognition for work around risk bow-tie modelling and regulatory compliance, and is regularly invited to speak at industry events. Alex has worked directly on over 200 GRC technology projects in some of the world’s largest companies and most complex environments.

How can we help?