Privacy campaigners have launched a legal challenge against the NHS Test and Trace scheme, claiming that it breaches GDPR. The Open Rights Group (ORG) has filed a complaint with the ICO and written to secretary of state Matt Hancock and others to demand answers.
The ICO complaint is predicated on the fact that the NHS and PHE failed to carry out a data protection impact assessment (DPIA) before forging ahead with the scheme, despite GDPR calling for one in high risk data processing scenarios. The group argues the scheme qualifies as such because of its experimental nature, the sensitivity of the data collected, and its scale – which could impact millions of people.
The group argues there is a lack of confidence over whether data risks have been adequately circumvented. It also highlights that 20 years – the length of time the test and trace scheme has indicated it will retain data – is excessive. The commercial and research intentions of the scheme have been ill-defined so far, creating even more uncertainty, the group asserts.
“The ICO must act to enforce the law,” says Jim Killock, director of the ORG in a statement. “The government is moving too fast, and breaking things as a result. If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the Track and Trace programme.”
The new NHS Test and Trace system launched last week, and involves people who have tested positive for coronavirus being contacted by contact tracers and asked who they have been in contact with, in order to advise those people to self-isolate.
The scheme will collect data including name, date of birth, gender, NHS Number, email, address and phone numbers and symptoms, as well as the contact details of anyone they came into contact with.
This manual scheme should, at some point, be complemented by the NHSX contact tracing app, although it’s uncertain when it will launch and has been demoted in importance by Dido Harding, the head of the Test and Trace scheme.
Hancock has repeatedly argued that existing data protection legislation is sufficient for both Test and Trace and the NHSX app, despite calls from MPs to put new safeguards into statute.
“Rushing out Test and Trace without following basic legal requirements is troubling,” said Ravi Naik, a data rights lawyer who is working with ORG to bring the complaint to the ICO, in a statement. “Not conducting these assessments has caused our clients concern that those risks have not been properly thought through. Added to this is the lack of transparency around data sharing and relationships with third parties.”
A privacy notice for the Test and Trace scheme says that the data will be processed by contact tracers recruited from PHE and public health bodies, as well as public service outsourcers Serco and Sitel Group, and held in secure storage by Amazon Web Services.
ORG’s letter to Hancock, NHSX CEO Matthew Gould, and PHE chief executive Duncan Selbie highlights that failure to conduct a DPIA could result in a fine of up to €10m (£8.9m).
The letter denounces the lack of security measures in place to identify whether a contact tracer is legitimate or not. Chief medical officer, Dr Jenny Harries, was lambasted in security circles this week for saying: “I think it will be very evident when somebody rings you these are professionally trained individuals and sitting over them are a group of senior clinical professionals.”
The letter also asks about the failure of the Test and Trace privacy notice to differentiate between personal data and special category data, and the lack of specificity with regards to anonymous data and pseudonymous data. Instead the notice uses the Americanised term “personally identifiable data” – something that caused alarm to data privacy specialists.
Public Heath England claim that a DPIA is being prepared. It has not responded to a request for further comment at the time of publishing.