Privacy activists prep legal challenge against UK plan to keep coronavirus contact-tracing data for two decades
It's too long a retention period, say digital rights campaigners
Privacy rights campaigners are to legally challenge the British government's decision to retain for two decades the data of people that test positive for COVID-19 under the test-and-trace system.
The Open Rights Group (ORG) asked data privacy lawyer Ravi Naik to draft a letter outlining its concerns following the policy of keeping the personal details of those who test positive for the novel coronavirus for up to 20 years.
Jim Killock, the ORG's executive director, told The Guardian: "The government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control."
The contact-tracing website for Public Health England says that personally identifiable information collected by NHS Test and Trace for people with COVID-19 symptoms will be held by Public Health England.
Contacts of those testing positive who do not show symptoms will have their data kept for five years.
Cori Crider, director of digital rights campaign group Foxglove, told The Reg:
"The question is whether the retention period is too long, and it just obviously is. It seems to me that if you step back and you look at the wider context here; we have had several times when something is done on the hoof that then gets revisited and changed. And I think the 20-year retention period will immediately be resisted as well."
Open letter from digital rights groups to UK health secretary questions big tech's role in NHS COVID-19 data storeREAD MORE
Concerns have also been raised that the test and trace programme has not completed a data protection impact assessment.
Public Health England told The Register it expected to publish to publish the impact assessment soon:
It told us:
Public Health England is currently working to complete the Data Protection Impact Assessment for NHS Test and Trace and has committed to provide this document to the Information Commissioner’s Office (ICO) next week.
Public Health England has taken careful steps to ensure that the NHS Test and Trace complies with its legal obligations and will publish the Impact Assessment on the NHS Test and Trace website, alongside the existing privacy notice, as soon as possible after consulting with the ICO.
Crider said in response: "They should have done it in the first place."
She told The Reg the bigger picture was the lack of transparency over how the test-and-trace programme, the app which is still under development, and the government's proposed NHSX COVID-19 data store would be allowed to share information.
The government's COVID-19 data store project is working with Amazon, Google, Microsoft, Palantir Technologies UK, a subsidy of Peter Thiel's controversial analytics firm, and the London AI company Faculty.
It has prompted an open letter from digital rights groups, which argue for greater transparency over who can access what data and for how long.
"The test-and-trace system, and the app: is all of that going to feed into the data store? Nobody has said. So, we don't know about the size and the scope of the data lake, and frankly, which corporate partners have got their mitts in it," Crider said.
Meanwhile, a separate group has created a model for accessing medical data without moving it from data owners, led by Ben Goldacre, science campaigner and director of the DataLab at Nuffield Department of Primary Care Health Sciences.
Crider said the project, dubbed OpenSAFELY, raised questions about whether the government's data store was in fact a white elephant. "When Ben Goldacre and his team does something like this, you think, could this be done this without recourse to the private data store? I think that's a question that we at least need to ask."
OpenSAFELY project shows promise, but leader discourages comparisons with government COVID-19 data store
OpenSAFELY won praise after creating a COVID-19 analytics platform that can draw from 17 million NHS records.
The model of the project avoids extracting sensitive patient records and instead runs analytics with the data in place within its original data store. Analysis is carried out by a select group of data scientists and the only data leaving the group is summaries of specific queries. All queries of the data are logged.
The approach has won praise from data rights groups. Sam Smith, coordinator at independent lobby group medConfidential, said: "The thing about OpenSAFELY is there is no data copy made – the queries are taken to the place where the data already is, and then the publishable statistics are produced there and exported.
"The NHSX data store requires at least one data copy of the data. It is the data copying that is risky, and creates another information governance point where those in control of the data can make new decisions."
But Goldacre played down comparisons with the NHSX data store project.
"The NHS data store and OpenSAFELY are built to manage completely different kinds of data, and user needs," he told The Register. "We developed OpenSAFELY as a way to handle the specific privacy risks – and computational challenges – when running research analyses across large volumes of extremely detailed primary care data covering a huge proportion of the population.
"I don't think the NHS data store contains anything like this scale of raw, event-level, primary care patient data; in fact, I don't think it contains any primary care data at all. I don't know everything that's in the NHS data store, but it's built to address a very different set of challenges and user needs to OpenSAFELY."
Goldacre praised the health service's digital arm and the data store team for their help in the OpenSAFELY project. ®