UK gov admits Track and Trace scheme 'breaches GDPR’

DHSC has made concessions following the threat of legal action, including reducing its 20-year data retention policy to eight years

The UK government has conceded that its flagship contact tracing programme has been operating unlawfully since its 28 May launch, as concerns mount that data breaches may have already been committed.

NHS Track and Trace, spearheaded by the Department for Health and Social Care (DHSC), was not subject to a full data protection impact assessment (DPIA), as explicitly required under GDPR, before it was launched.

Writing to campaigners in a legal capacity, a government solicitor conceded the DHSC failed to live up to expectations set out under Article 35 of GDPR. They added that while having a full DPIA in place was “preferrable”, NHS Track and Trace was developed at such pace and scale that it wasn’t anywhere close to a primary focus. 

The admission was made only after the Open Rights Group (ORG) threatened to take legal action against the government in light of concerns raised when the contact tracing programme was initially launched 

Public Health England (PHE), which oversees the scheme, conceded in May that no DPIA had been conducted prior to launch, with a spokesperson telling IT Pro at the time that it would soon complete a full DPIA and “expects to publish this shortly”. 

Undermining public trust

Several weeks later, the continued absence of a DPIA has sounded fresh alarms considering the possibility that data breaches are already being committed. Individuals employed as contact tracers, for example, have allegedly shared the details of COVID-19 patients, including names, NHS numbers and contact details, on WhatsApp and Facebook in unregulated groups, according to the Times.

Despite these concerns, the government insists it’s taken appropriate steps to ensure participants’ personal data is being safeguarded, and that the absence of a DPIA shouldn’t be interpreted as a failure on its part to respect data protection principles.

“The reckless behaviour of this government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health. We have a ‘world-beating’ unlawful Test and Trace programme,” said executive director of the ORG Jim Killock.

Related Resource

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

“A crucial element in the fight against the pandemic is mutual trust between the public and the Government, which is undermined by their operating the programme without basic privacy safeguards. The Government bears responsibility for the public health consequences.”

While the status of an NHS Test and Trace DPIA remains “under review”, the government has cited its privacy notices published online as being sufficient to assist the public in understanding how their personal data is processed. These documents, however, have been subject to several major alterations in response to criticism voiced by privacy campaigners.

Initially, for example, the terminology used was Americanised, namely the repeated use of ‘personally identifiable information (PII)’, a term not recognised by GDPR. The government had also initially set out that data obtained through NHS Track and Trace would be retained for 20 years. After pressure from privacy campaigners, this was reduced to eight years.

An absent regulator?

In its legal correspondence, the government said it had been involved in “detailed and rigorous constructive engagement” with the Information Commissioner’s Office (ICO) about the programme’s processing of personal data. 

Part of this engagement involves sharing aspects of documentation that will eventually feed into a completed DPIA, which the government insists “is in the process of being finalised”. The ICO has confirmed it has received a DPIA for parts of NHS Track and Trace, and that it’s continuing to engage to understand the system and ensure risks are mitigated.

“The ICO and Parliament must ensure that Test and Trace is operating safely and lawfully. As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken.”

“There is not always a requirement for that DPIA to be shared with us,” an ICO spokesperson told IT Pro. “In this case, we have been working with government as a critical friend to provide guidance and advice for some elements of the scheme and to seek assurances that people’s personal data is protected.

“We recognise the urgency in rolling out the test and trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated. People need to understand how their data will be safeguarded and how it will be used.”

The ORG, however, has slammed this approach, suggesting that it’s time the ICO ended its “critical friend” policy and took meaningful action, given this entire episode is undermining public confidence. None of this information would have come to light, moreover, would it not have been for the threat of a judicial review.

“The Test and Trace Programme is central to easing the lockdown and getting the economy growing again,” Killock continued. “The ICO should have taken action but did not. We were forced to threaten Judicial Review to ensure that people’s privacy is protected. 

The ICO has faced intense criticism recently for failing to take action in several against clear examples of data protection law, especially, for example, against data breaches committed in the AdTech industry.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

Why you should prioritise privileged access management
Sponsored

Why you should prioritise privileged access management

9 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020