Monday 20 July 2020 1:07 pm

Test and trace programme breaks GDPR laws, government admits

The NHS Test and Trace scheme that collects contact details of those who have been in close proximity to Covid-19 breaks data protection laws, the Department for Health and Social Care has admitted.

Campaigners from the Open Rights Group (ORG) earlier this month threatened legal action against the department over claims the NHS programme has been operating unlawfully since its launch on 28 May.

In response, the Department of Health conceded that the test and trace programme, which tracks those who have been in close contact to people infected with coronavirus, was launched without carrying out an assessment of its impact on privacy.

Carrying out a data protection impact assessment (DPIA), which helps to identify and mitigate risks relating to use of personal data, is a requirement under both the UK Data Protection Act and EU General Data Protection Regulation (GDPR) laws.

A letter from the Department of Health to the ORG confirmed that the government had not yet completed a DPIA, and had therefore “failed to assess data protection risks around the NHS Test and Trace programme for coronavirus in England”.

England’s test and trace system involves several private companies, including Serco UK, Sitel Group and Amazon Web Services, who provide data storage and employ contact tracers. 

As part of the contact tracing scheme, people who test positive for coronavirus are asked to hand over their date of birth, sex, NHS number, email, telephone and symptoms, in addition to the contact details of those they have been in close contact with.

The government’s legal team said that “there should have been impact assessments in whatever form in place addressing all of those aspects”.

The department said it is working closely with the Information Commissioner’s Office (ICO) to ensure that all data collected by the test and trace scheme is processed in accordance with the law. 

It added that the risk assessment still hasn’t been completed – though it is now being “finalised”.

However, ORG’s executive director, Jim Killock, said the government had been “reckless” in ignoring the DPIA requirement. 

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards,” he said.

“The government bears responsibility for the public health consequences.”

Speaking to the BBC this morning, education secretary Gavin Williamson said: “It’s been quite an exceptional period of our history that we’ve been living through and decisions have had to be made with speed and actions have been taken that wouldn’t usually have to be taken.”

“Test and trace is at the core if we are to defeat this virus, making sure that we contact people with coronavirus… but their individual data, the information they give, is treated with the absolute highest security.”

Asked if the trace and trace scheme had broken GDPR laws, Williamson said: “At no stage has any of this information gone out, nor will it go out. It is treated with the utmost greatest and highest security. But you will understand that to beat this virus we had to create a track and trace system and we had to get that up and running at incredible speed.”

Rich Vibert, chief executive of data privacy firm Metomic, said: “It just goes to show how despite having regulations such as the GDPR in place, privacy is still treated as an afterthought, but people won’t accept this for much longer.

“Sensitive information from the app has already leaked on social media, making UK citizens lose trust in test and trace — a potential disaster given how critical the strategy is for preventing a second wave.”

Vibert added: “The rushed deployment from the government may have been a decision taken in good faith, but if people can’t trust the system, the biggest loser will still be our health.”

The Times last week reported that various contact tracers employed under the scheme have shared private patient information such as NHS numbers in WhatsApp and Facebook groups, while others have used contact details to harass women.

The IOC has said it will look into the claims. 

A DHSC spokesperson said: “There is no evidence of data being used unlawfully. NHS Test and Trace is committed to the highest ethical and data governance standards — collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.

“We have rapidly created a large scale test and trace system in response to this unprecedented pandemic. The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”

A spokesperson for the Prime Minister earlier this month rebuffed claims that new rules forcing pubs, restaurants, bars, cafes and hairdressers to keep a record of all visitors may violate data protection laws. 

The spokesperson said: “People are very familiar with giving their contact details to [those] sorts of places — restaurants, pubs, hairdressers and others — in order to make appointments so that’s not new. We said we will work with businesses though to make sure that they can implement this in a secure way.”

“It’s worth pointing out that this system is already in place in a number of countries which have some of the strictest privacy rules in the world and which are subject to GDPR regulations.”

Before the Open: Get the jump on the markets with our early morning newsletter