Legal complaint lodged with UK data watchdog over claims coronavirus Test and Trace programme flouts GDPR
'Government is moving too fast, and breaking things as a result'
Open Rights Group has instructed lawyers to lodge a complaint with the UK's data watchdog over the rollout of the Test and Trace system because it says the system breaches the General Data Protection Regulation (GDPR).
In addition to the Information Commissioner's Office (ICO), the digital rights body's lawyers have also written to the country's health secretary Matt Hancock, the CEO of NHS digital agency NHSX, and the chief exec of Public Health England, asking for clarity around the system.
The complaint to the ICO relates to the failure by the NHS and Public Health England (PHE), which runs the Test and Trace programme, to conduct a Data Protection Impact Assessment (DPIA), which is required under the GDPR before processing of data in high-risk situations.
The Open Rights Group argues that because Test and Trace is experimental, and processes data of a sensitive nature on a large scale, a DPIA was required before data processing started. PHE and the NHS confirmed that a DPIA has not been conducted, in breach of those GDPR requirements.
Jim Killock, executive director of Open Rights Group, said: "The ICO must act to enforce the law. The government is moving too fast, and breaking things as a result. If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the Test and Trace programme."
The Open Rights Group has instructed Ravi Naik, legal director of the data rights agency AWO, who said: "Rushing out Test and Trace without following basic legal requirements is troubling. These legal obligations are designed to ensure that risks are identified and mitigated. Not conducting these assessments has caused our clients concern that those risks have not been properly thought through.
"Added to this is the lack of transparency around data sharing and relationships with third parties. We trust that the ICO will act accordingly to enforce the law and bring some transparency to the Test and Trace process."
PHE said earlier this week that it was currently working to complete the DPIA for NHS Test and Trace. It committed to provide this document to the ICO next week, saying: "Public Health England has taken careful steps to ensure that the NHS Test and Trace complies with its legal obligations and will publish the Impact Assessment on the NHS Test and Trace website, alongside the existing privacy notice, as soon as possible after consulting with the ICO."
Neil Brown, tech lawyer behind firm decoded.legal, said the ICO did not have a legal obligation to respond to every complaint, but that the letter may carry some weight. "If they've had a complaint from a pretty well-regarded data protection expert lawyer, the ICO may well be minded to respond," he said.
If the Open Rights Group is not satisfied with the response, it still had the option of instigating litigation or issuing an injunction, he said.
There are also questions over the ICO's ability to respond to a complaint, given its struggle to handle its current caseload during the COVID-19 lockdown.
Meanwhile, head of the Test and Trace programme, Baroness Dido Harding, formerly CEO of TalkTalk, answered questions before the UK Parliament's Health Select Committee yesterday. Or rather, did not.
Pressed by committee chairman and former health secretary Jeremy Hunt on the proportion of new COVID-19 cases being contacted by the programme within 24 hours of a positive test result, she said she couldn't share data until it had been validated by the UK Statistical Authority.
"We need to make sure that any data that we share is accurate and validated, as you will see an exchange of letters between Sir David Norgrove, chair of the UK Statistical Authority, and the [health secretary] in the last couple of days. I spoke with him yesterday and all our teams are working together now to agree on a weekly dashboard update for the overall intelligence on the testing programme."
Hunt said he was disappointed in the response and said Harding, who earned the moniker Dido, queen of carnage for her role in the 2017 TalkTalk data breach, should provide the information to the committee by the end of next week. ®