A cross-party group of more than 20 MPs have banded together to challenge the UK’s data watchdog over its failure to enforce data protection standards for the Test and Trace programme – something that led to the programme being found unlawful.
On 20 July, the government was forced to admit that England’s “world-beating” Test and Trace programme had operated unlawfully since May, as the result of a legal challenge brought by the campaign organisation Open Rights Group (ORG).
The coalition of Green, SNP, Lib Dem and Labour MPs – including Labour MP Clive Lewis, Green Party MP Caroline Lucas, and SNP MP John Nicholson – are demanding that Information Commissioner, Elizabeth Denham, carry out the proper role of the regulator, hold the government to account and demand changes to the Test and Trace system in accordance with data laws.
The letter reads: “Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.” It highlights the ICO’s powers to demand particular changes through enforcement notices, and even fine the government if it fails to comply.
The government hadn’t completed a Data Protection Impact Assessment (DPIA) before carrying out the programme, a legally required document for sensitive data-processing scenarios under GDPR.
The letter was organised by the Open Rights Group. Director Jim Killock said in a statement: “There is something rotten at the heart of the ICO that makes them tolerate Government’s unlawful behavior. The ICO is a public body, funded by the taxpayers, and accountable to Parliament. They must now sit up, listen, and act.”
The government announced last week that more than 250,000 people’s data had been processed by the service. The sensitive data taken by the programme includes an individual’s name, date of birth, gender, NHS number, email, address and phone numbers and symptoms, as well as the contact details of anyone they came into contact with.
Lucas MP said: “Running a risk assessment on data protection is not an optional extra. It’s a legal requirement and it’s essential if people are to be reassured that when they hand over their data to contact tracers, that data won’t be misused.”
At the beginning of the coronavirus pandemic, the ICO said it would not be taking as strong a stance on enforcement. But it’s attracted criticism for what some perceive as toothlessness. Denham was taken to task for her vagueness over the ICO’s position on the first iteration of the UK’s contact-tracing app, when she said that the body was working as a “critical friend” to the body in charge of the app, NHSX. It’s for these reasons, perhaps, that the ICO’s recently released annual report identified managing the ICO’s reputation as a challenge for the year ahead.
Lewis said: “The ICO needs to act to ensure the Johnson government stops playing fast and loose with people[‘s] health and safety. The Johnson government brought this programme forward more quickly than was practical, and we are all paying the consequences. Privacy is fundamental to trust. The ICO must investigate and force the government to fix the problems, to avoid a wider breakdown in trust.”
An ICO spokesperson said: “Our regulatory obligations include advising as well as supervising the work of data controllers. Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK Government, the NHS, local councils and private sector organisations to respond to the public health crisis.
“We understand and recognise the government and other organisations had to act quickly to deal with the national health emergency, and we have explained their data protection obligations and provided guidance and expertise at pace to them. We have published much of this work so there is transparency, and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.”
A spokesperson for the Department of Health and Social Care said: “It is completely wrong to claim that there are no DPIAs in place or that the NHS Test and Trace service is unlawful. We have undertaken a number of separate DPIAs covering the constituent parts of the NHS Test and Trace service, with more in development including an overarching DPIA.
“An entire industry has been successfully set up at speed to tackle the most serious public health crisis we have faced in a century – our priority has been to save lives and protect public health and we will not apologise for doing so.
“NHS Test and Trace is committed to the highest ethical and data governance standards and there is no evidence of data being used unlawfully.”