UK government faces legal action over NHS Test and Trace risk assessments

The DHSC have until 8 July to provide evidence that a data protection impact assessment has been performed

Health secretary Matt Hancock and the Department of Health and Social Care (DHSC) could face legal action over the alleged mishandling of data of over 150,000 people who have had their personal information collected by the coronavirus Test and Trace scheme.

According to lawyers working on behalf of the Open Rights Group (ORG), the government did not conduct a Data Protection Impact Assessment (DPIA) about how people’s personal data, such as names, dates of birth, sex, NHS numbers, are protected.

If true, this would be a violation of the requirements of the Data Protection Act 2018 and Article 35 of the General Data Protection Regulation (GDPR), which requires organisations to assess the risk associated with the collection and processing personal data ahead of time, particularly when it concerns medical or other data types defined as 'sensitive'.

Hancock and the DHSC have until 8 July to provide evidence of a conducted risk assessment. If not, the case might be taken to court.

Under normal circumstances, an organisation that fails to show evidence of an impact assessment upon request is likely to face harsh sanction from the Information Commissioner's Office, the UK's data regulator, as it would be considered willful negligence. However, it's unclear whether the ICO would take a similar approach with the government's effort to build an operational test and trace system, particularly given the overwhelming public interest to have such a system operational as quickly as possible.

However, ORG executive director Jim Killock argues that the current public crisis should not be used as a reason to relax data protection rules.

“Just because there's a medical emergency doesn't mean that you just forget about basic data protection safeguards,” Killock told Wired. “What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.”

Related Resource

Go digital to meet today’s critical compliance and security requirements

Digital transformation helps companies meet critical compliance and security requirements

Download now

The Test and Trace scheme was launched on 28 May, aiming to help identify, contain and control the spread of the coronavirus. It works by contacting citizens who test positive for the coronavirus and asking them to share information about their recent interactions, from household members, to anyone who had been around them within two metres for more than 15 minutes.

Last month, ORG was preparing to legally challenge the UK government over its decision to retain personal health data for up to two decades. 

According to The Guardian, it enlisted data rights lawyer Ravi Naik to draft an open letter addressed to home secretary Priti Patel and health secretary Matt Hancock over the privacy risks associated with the UK's track and trace programme.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020