IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

UK government faces legal action over NHS Test and Trace risk assessments

The DHSC have until 8 July to provide evidence that a data protection impact assessment has been performed

Matt Hancock on the move

Health secretary Matt Hancock and the Department of Health and Social Care (DHSC) could face legal action over the alleged mishandling of data of over 150,000 people who have had their personal information collected by the coronavirus Test and Trace scheme.

According to lawyers working on behalf of the Open Rights Group (ORG), the government did not conduct a Data Protection Impact Assessment (DPIA) about how people’s personal data, such as names, dates of birth, sex, NHS numbers, are protected.

If true, this would be a violation of the requirements of the Data Protection Act 2018 and Article 35 of the General Data Protection Regulation (GDPR), which requires organisations to assess the risk associated with the collection and processing personal data ahead of time, particularly when it concerns medical or other data types defined as 'sensitive'.

Hancock and the DHSC have until 8 July to provide evidence of a conducted risk assessment. If not, the case might be taken to court.

Under normal circumstances, an organisation that fails to show evidence of an impact assessment upon request is likely to face harsh sanction from the Information Commissioner's Office, the UK's data regulator, as it would be considered willful negligence. However, it's unclear whether the ICO would take a similar approach with the government's effort to build an operational test and trace system, particularly given the overwhelming public interest to have such a system operational as quickly as possible.

However, ORG executive director Jim Killock argues that the current public crisis should not be used as a reason to relax data protection rules.

“Just because there's a medical emergency doesn't mean that you just forget about basic data protection safeguards,” Killock told Wired. “What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.”

Related Resource

Go digital to meet today’s critical compliance and security requirements

Digital transformation helps companies meet critical compliance and security requirements

Download now

The Test and Trace scheme was launched on 28 May, aiming to help identify, contain and control the spread of the coronavirus. It works by contacting citizens who test positive for the coronavirus and asking them to share information about their recent interactions, from household members, to anyone who had been around them within two metres for more than 15 minutes.

Last month, ORG was preparing to legally challenge the UK government over its decision to retain personal health data for up to two decades. 

According to The Guardian, it enlisted data rights lawyer Ravi Naik to draft an open letter addressed to home secretary Priti Patel and health secretary Matt Hancock over the privacy risks associated with the UK's track and trace programme.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Microsoft finally adds Power BI integrations to PowerPoint and Outlook
business intelligence (BI)

Microsoft finally adds Power BI integrations to PowerPoint and Outlook

25 May 2022