UK government faces legal action over NHS Test and Trace risk assessments

The DHSC have until 8 July to provide evidence that a data protection impact assessment has been performed

Matt Hancock on the move

Health secretary Matt Hancock and the Department of Health and Social Care (DHSC) could face legal action over the alleged mishandling of data of over 150,000 people who have had their personal information collected by the coronavirus Test and Trace scheme.

According to lawyers working on behalf of the Open Rights Group (ORG), the government did not conduct a Data Protection Impact Assessment (DPIA) about how people’s personal data, such as names, dates of birth, sex, NHS numbers, are protected.

If true, this would be a violation of the requirements of the Data Protection Act 2018 and Article 35 of the General Data Protection Regulation (GDPR), which requires organisations to assess the risk associated with the collection and processing personal data ahead of time, particularly when it concerns medical or other data types defined as 'sensitive'.

Hancock and the DHSC have until 8 July to provide evidence of a conducted risk assessment. If not, the case might be taken to court.

Under normal circumstances, an organisation that fails to show evidence of an impact assessment upon request is likely to face harsh sanction from the Information Commissioner's Office, the UK's data regulator, as it would be considered willful negligence. However, it's unclear whether the ICO would take a similar approach with the government's effort to build an operational test and trace system, particularly given the overwhelming public interest to have such a system operational as quickly as possible.

However, ORG executive director Jim Killock argues that the current public crisis should not be used as a reason to relax data protection rules.

“Just because there's a medical emergency doesn't mean that you just forget about basic data protection safeguards,” Killock told Wired. “What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.”

Related Resource

Go digital to meet today’s critical compliance and security requirements

Digital transformation helps companies meet critical compliance and security requirements

Download now

The Test and Trace scheme was launched on 28 May, aiming to help identify, contain and control the spread of the coronavirus. It works by contacting citizens who test positive for the coronavirus and asking them to share information about their recent interactions, from household members, to anyone who had been around them within two metres for more than 15 minutes.

Last month, ORG was preparing to legally challenge the UK government over its decision to retain personal health data for up to two decades. 

According to The Guardian, it enlisted data rights lawyer Ravi Naik to draft an open letter addressed to home secretary Priti Patel and health secretary Matt Hancock over the privacy risks associated with the UK's track and trace programme.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021