The UK Information Commissioner, Elizabeth Denham, has released an opinion on the use of Bluetooth technology to track the spread of Coronavirus (COVID-19) and update users if they have come into contact with an infected person.
Information on the framework is limited at this stage to API technology (rather than any specific public health authority apps on contact tracing), so the opinion is also limited to this. Once apps utilising the API start to trickle out, I'd imagine we'll hear more from the ICO.
The good news is that the Commissioner concludes that the framework itself appears to align with the principles of data protection by design and default, and looks to also adhere to data minimisation and security principles. Scope creep is a risk identified however, especially given that any app developer will be free to access the API.
I'd recommend giving the below a read - it very simply explains how the tracing API will work (cartoons included) and the data protection implications each step of the way.
This Opinion sets out the Commissioner’s current thinking regarding the Contact Tracing Framework to enable the use of Bluetooth technology to help governments and public health authorities (PHAs) reduce the spread of the virus.