UK government faces legal action over NHS Test and Trace risk assessments

The DHSC have until 8 July to provide evidence that a data protection impact assessment has been performed

Matt Hancock on the move

Health secretary Matt Hancock and the Department of Health and Social Care (DHSC) could face legal action over the alleged mishandling of data of over 150,000 people who have had their personal information collected by the coronavirus Test and Trace scheme.

According to lawyers working on behalf of the Open Rights Group (ORG), the government did not conduct a Data Protection Impact Assessment (DPIA) about how people’s personal data, such as names, dates of birth, sex, NHS numbers, are protected.

If true, this would be a violation of the requirements of the Data Protection Act 2018 and Article 35 of the General Data Protection Regulation (GDPR), which requires organisations to assess the risk associated with the collection and processing personal data ahead of time, particularly when it concerns medical or other data types defined as 'sensitive'.

Hancock and the DHSC have until 8 July to provide evidence of a conducted risk assessment. If not, the case might be taken to court.

Under normal circumstances, an organisation that fails to show evidence of an impact assessment upon request is likely to face harsh sanction from the Information Commissioner's Office, the UK's data regulator, as it would be considered willful negligence. However, it's unclear whether the ICO would take a similar approach with the government's effort to build an operational test and trace system, particularly given the overwhelming public interest to have such a system operational as quickly as possible.

However, ORG executive director Jim Killock argues that the current public crisis should not be used as a reason to relax data protection rules.

“Just because there's a medical emergency doesn't mean that you just forget about basic data protection safeguards,” Killock told Wired. “What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.”

Related Resource

Go digital to meet today’s critical compliance and security requirements

Digital transformation helps companies meet critical compliance and security requirements

Download now

The Test and Trace scheme was launched on 28 May, aiming to help identify, contain and control the spread of the coronavirus. It works by contacting citizens who test positive for the coronavirus and asking them to share information about their recent interactions, from household members, to anyone who had been around them within two metres for more than 15 minutes.

Last month, ORG was preparing to legally challenge the UK government over its decision to retain personal health data for up to two decades. 

According to The Guardian, it enlisted data rights lawyer Ravi Naik to draft an open letter addressed to home secretary Priti Patel and health secretary Matt Hancock over the privacy risks associated with the UK's track and trace programme.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021