Privacy activists prep legal challenge against UK plan to keep coronavirus contact-tracing data for two decades

It's too long a retention period, say digital rights campaigners

Privacy rights campaigners are to legally challenge the British government's decision to retain for two decades the data of people that test positive for COVID-19 under the test-and-trace system.

The Open Rights Group (ORG) asked data privacy lawyer Ravi Naik to draft a letter outlining its concerns following the policy of keeping the personal details of those who test positive for the novel coronavirus for up to 20 years.

Jim Killock, the ORG's executive director, told The Guardian: "The government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control."

The contact-tracing website for Public Health England says that personally identifiable information collected by NHS Test and Trace for people with COVID-19 symptoms will be held by Public Health England.

Contacts of those testing positive who do not show symptoms will have their data kept for five years.

Cori Crider, director of digital rights campaign group Foxglove, told The Reg:

"The question is whether the retention period is too long, and it just obviously is. It seems to me that if you step back and you look at the wider context here; we have had several times when something is done on the hoof that then gets revisited and changed. And I think the 20-year retention period will immediately be resisted as well."

NHS hosptial photo, by Marbury via Shutterstock

Open letter from digital rights groups to UK health secretary questions big tech's role in NHS COVID-19 data store


Concerns have also been raised that the test and trace programme has not completed a data protection impact assessment.

Public Health England told The Register it expected to publish to publish the impact assessment soon:

It told us:

Public Health England is currently working to complete the Data Protection Impact Assessment for NHS Test and Trace and has committed to provide this document to the Information Commissioner’s Office (ICO) next week.

Public Health England has taken careful steps to ensure that the NHS Test and Trace complies with its legal obligations and will publish the Impact Assessment on the NHS Test and Trace website, alongside the existing privacy notice, as soon as possible after consulting with the ICO.

Crider said in response: "They should have done it in the first place."

She told The Reg the bigger picture was the lack of transparency over how the test-and-trace programme, the app which is still under development, and the government's proposed NHSX COVID-19 data store would be allowed to share information.

The government's COVID-19 data store project is working with Amazon, Google, Microsoft, Palantir Technologies UK, a subsidy of Peter Thiel's controversial analytics firm, and the London AI company Faculty.

It has prompted an open letter from digital rights groups, which argue for greater transparency over who can access what data and for how long.

"The test-and-trace system, and the app: is all of that going to feed into the data store? Nobody has said. So, we don't know about the size and the scope of the data lake, and frankly, which corporate partners have got their mitts in it," Crider said.

Meanwhile, a separate group has created a model for accessing medical data without moving it from data owners, led by Ben Goldacre, science campaigner and director of the DataLab at Nuffield Department of Primary Care Health Sciences.

Crider said the project, dubbed OpenSAFELY, raised questions about whether the government's data store was in fact a white elephant. "When Ben Goldacre and his team does something like this, you think, could this be done this without recourse to the private data store? I think that's a question that we at least need to ask."

OpenSAFELY project shows promise, but leader discourages comparisons with government COVID-19 data store

OpenSAFELY won praise after creating a COVID-19 analytics platform that can draw from 17 million NHS records.

The model of the project avoids extracting sensitive patient records and instead runs analytics with the data in place within its original data store. Analysis is carried out by a select group of data scientists and the only data leaving the group is summaries of specific queries. All queries of the data are logged.

The approach has won praise from data rights groups. Sam Smith, coordinator at independent lobby group medConfidential, said: "The thing about OpenSAFELY is there is no data copy made – the queries are taken to the place where the data already is, and then the publishable statistics are produced there and exported.

"The NHSX data store requires at least one data copy of the data. It is the data copying that is risky, and creates another information governance point where those in control of the data can make new decisions."

But Goldacre played down comparisons with the NHSX data store project.

"The NHS data store and OpenSAFELY are built to manage completely different kinds of data, and user needs," he told The Register. "We developed OpenSAFELY as a way to handle the specific privacy risks – and computational challenges – when running research analyses across large volumes of extremely detailed primary care data covering a huge proportion of the population.

"I don't think the NHS data store contains anything like this scale of raw, event-level, primary care patient data; in fact, I don't think it contains any primary care data at all. I don't know everything that's in the NHS data store, but it's built to address a very different set of challenges and user needs to OpenSAFELY."

Goldacre praised the health service's digital arm and the data store team for their help in the OpenSAFELY project. ®

Broader topics

Other stories you might like

  • Lenovo halves its ThinkPad workstation range
    Two becomes one as ThinkPad P16 stands alone and HX replaces mobile Xeon

    Lenovo has halved its range of portable workstations.

    The Chinese PC giant this week announced the ThinkPad P16. The loved-by-some ThinkPad P15 and P17 are to be retired, The Register has confirmed.

    The P16 machine runs Intel 12th Gen HX CPUs, but only up to the i7 models – so maxes out at 14 cores and 4.8GHz clock speed. The laptop is certified to run Red Hat Enterprise Linux, and can ship with that, Ubuntu, and Windows 11 or 10. The latter is pre-installed as a downgrade right under Windows 11.

    Continue reading
  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading

Biting the hand that feeds IT © 1998–2022