Photo by Anthony Devlin/Getty Images
show image

Laurie Clarke

Reporter

Privacy organisations raise concerns over new Test and Trace data collection programme

Two prominent privacy organisations have launched a challenge to the government over the new Test and Trace programme that has launched alongside the NHS Covid-19 contact tracing app.

New legislation requires that venues demand entrants either download the app or supply accurate personal information. The rights groups argue that in the case of the latter, the data is not currently safeguarded by legally binding data protection assurances.

The Open Rights Group and Big Brother Watch have jointly instructed data rights law firm AWO to send a legal letter to the health secretary Matt Hancock asking him to provide information on how citizen’s data will be safeguarded.

“This law could easily lead to the mass recording of our movements and there is a serious question as to whether this is safe and lawful,” said director of Big Brother Watch Silkie Carlo in a statement.

“The government’s new approach to contact tracing is no longer based on public trust, but on exclusion, criminal sanctions and police enforcement. Many people will be rightly shocked to find they’re refused entry to coffee shops and restaurants unless they use the NHSx app or hand over their personal contact details.”

The groups point to the fact that the government is yet to publish a public data protection impact assessment (DPIA) for this element of the programme, or provide information about how venues are to legally and securely store customer details. Such details have already been abused for marketing and harassment purposes.

“This government’s failure to conduct the legally required data safety assessment means that no one knows how people’s details will be safely and legally collected, stored and protected by bars, restaurants, and coffee shops,” said executive director of Open Rights Group Jim Killock in a statement. “No one knows what will happen if things goes wrong and this Government doesn’t seem to have thought this through.

The two organisations are also demanding to know whether the government has carried out a DPIA for the Test and Trace programme as a whole yet. A legal challenge by ORG in July revealed that one hadn’t been conducted, leaving experts to conclude that the programme had been operating unlawfully since May. The government maintains that “there is no evidence of data being used unlawfully”.

The new NHSX app, which runs on a decentralised model created by Google and Apple, is feted by experts as privacy preserving, unlike its predecessor app that ran on centralised infrastructure and eventually had to be abandoned. Killock wrote on Twitter that he had downloaded the new app for reasons including that the code is open for review and that the QR scanning for venues works in the same way.

But he decries the incompleteness of the health department’s efforts. “This government has had six months to fix the test and trace programme and on the eve of the launch of this app one thing is for certain; this government is flying by the seat of its pants,” said Killock.