The government has been forced to concede that England’s “world-beating” Test and Trace programme has been operating unlawfully since it launched in May, as the result of a legal challenge by the campaign organisation Open Rights Group (ORG). The government admitted it did not complete a Data Protection Impact Assessment (DPIA) – a legally required piece of documentation under GDPR – before launching the programme.
The Department of Health and Social Care (DHSC) only admitted to this omission after ORG threatened to take the government to court if it didn’t immediately conduct a DPIA. GDPR calls for the completion of a DPIA for high-risk data processing scenarios – which ORG argues the Test and Trace programme qualifies for given the scale of the programme and the sensitivity of the data.
“The reckless behaviour of this government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health. We have a ‘world beating’ unlawful Test and Trace programme,” says Jim Killock, director of ORG.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards. The government bears responsibility for the public health consequences.”
The government has already been forced to walk back on the length of time it planned to hold onto the Test and Trace data at the behest of ORG, reducing the time period from 20 years down to eight for seemingly arbitrary reasons.
The scheme collects a range of sensitive data including an individual’s name, date of birth, gender, NHS number, email, address and phone numbers and symptoms, as well as the contact details of anyone they came into contact with.
The Times reported last week that contact tracers were sharing screenshots of confidential patient data (containing the names, NHS numbers, contact details and case IDs of those who have tested positive for the virus) on Facebook and WhatsApp groups because “shambolic” training had left them uncertain of how to carry out the role. As a result, the programme is already being investigated by the Information Commissioner’s Office.
Director of the data rights agency AWO, Ravi Naik, who brought the complaint on behalf of ORG, said: “By failing to conduct the appropriate assessment, all the data that has been collected – and continues to be collected – is tainted.
“These legal requirements are more than just a tick-box compliance exercise. They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices. The repercussions of the concessions could be widespread.”
A DHSC spokesperson said: “There is no evidence of data being used unlawfully. NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.
“We have rapidly created a large scale test and trace system in response to this unprecedented pandemic. The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”
This article was updated to include comment from a DHSC spokesperson.