UK.gov admits it has not performed legally required data protection checks for COVID-19 tracing system
No evidence of data being used unlawfully, says health department
The UK government has admitted it deployed the COVID-19 Test and Trace programme without a Data Protection Impact Assessment (DPIA) required by law, according to privacy campaigners the Open Rights Group (ORG).
The ORG said the Department of Health and Social Care (DHSC) had confirmed in writing that the impact assessment had not been carried out following its legal complaint to data protection watchdog the Information Commissioner's Office (ICO).
The failure to meet the legal requirement means the government's "entire test and trace programme has been operating unlawfully since its launch on 28th May 2020," the ORG said.
On 1 June, Public Health England, which runs the programme, issued a statement saying it was "currently working to complete the DPAI for NHS Test and Trace and has committed to provide this document to the ICO next week".
Legal complaint lodged with UK data watchdog over claims coronavirus Test and Trace programme flouts GDPRREAD MORE
It was unable to explain to The Register why, after more than a month, the impact assessment had not been completed, and instead deferred to the Department for Health and Social Care.
A DHSC spokesperson said: "There is no evidence of data being used unlawfully. NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.
"We have rapidly created a large scale test and trace system in response to this unprecedented pandemic. The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus."
Guidance and advice
An ICO spokesperson said: "It is an organisation's responsibility to complete a data protection impact assessment as a way of identifying and addressing key privacy questions. There is not always a requirement for that DPIA to be shared with us.
"In this case, we have been working with government as a critical friend to provide guidance and advice for some elements of the scheme and to seek assurances that people's personal data is protected.
"We recognise the urgency in rolling out the test and trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated. People need to understand how their data will be safeguarded and how it will be used."
Education secretary Gavin Williamson told BBC Breakfast: "In no way has [there] been a breach of any of the data that has been stored.
"I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed... Are you really advocating that we get rid of a test and trace system? I don't think you are."
But Neil Brown, director of tech law firm decoded.legal, told The Reg the idea that the government complies with the law or acts at speed in creating the system was a false dichotomy.
"I don't see why they couldn't have assessed the impact of what they're proposing on the fundamental rights of people here, while they were going through the process," he said. "It's something that other organisations do all the time."
He added that any organisation assessing the data protection risks and working to mitigate them as they design and roll out the system would not find the process too onerous. "If what you've done is designed your entire system and you're ready to go, and suddenly think, 'I haven't done my data protection impact assessment', and then you're trying to write it in a way that shows but the solution you found is completely compliant with the law: that could take longer," Brown said.
He also commented that the ICO appeared to be working with the government rather than regulating. "Nowhere in the Data Protection Act can I find where it says that one of tasks of the ICO is to be a 'critical friend': it's a regulator." ®