As the UK Government tests the long-awaited NHS contact-tracing app, the Scottish Government initiates its track, trace, isolate and support scheme and employers start to monitor health data and test results, the public is asking pertinent questions about the lawful use of health data. The Information Commissioner’s Office (ICO) has made it clear in various statements since the start of this pandemic that data protection laws do not prevent the sharing and use of health data. However, the ICO has made it equally clear that data protection rules still apply, and that any processing of health data must respect the data protection principles in the General Data Protection Regulation (GDPR) and the right to privacy under the European Convention on Human Rights. NHSX, the technology unit leading on the app, has assured potential users that data collected will be used solely for NHS purposes relating to combatting the spread of the coronavirus. Users can delete the app, along with all the data it contains, at their discretion, says NHSX. The GDPR requires data controllers (such as the NHS) to implement data protection by design, and absolute transparency over the use and retention of data is crucial if the NHS is to create the level of trust that will encourage the public to download it. Any major data project needs to have a Data Protection Impact Assessment (DPIA) and the NHS has produced a 30-page DPIA for the Isle of Wight pilot. This has been publicly released and is currently under review by the ICO as data protection regulator. There are concerns about both the process and the content of the DPIA (not least the incorrect references to data being anonymous) and we await the ICO’s feedback with great interest. Joanna Boag-Thomson is a Partner in Shepherd and Wedderburn’s media and technology team.