Have a nice day - stock.adobe.c

Test and Trace programme unlawful, admits government

The Department of Health and Social Care failed in its legal obligation to complete a mandatory Data Protection Impact Assessment

The UK’s entire Test and Trace Covid-19 contact-tracing programme has been operating unlawfully since its inception on 28 May after the Department for Health and Social Care (DHSC) failed in its legal obligation to complete a mandatory Data Protection Impact Assessment (DPIA)

The government was forced into the admission following a legal challenge from privacy campaigners at the Open Rights Group (ORG), who threatened to take it to court unless it agreed to immediately conduct one.

“The reckless behaviour of this government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment has endangered public health. We have a ‘world-beating’ unlawful Test and Trace programme,” said ORG executive director Jim Killock.

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards. The government bears responsibility for the public health consequences.

“The Test and Trace Programme is central to easing the lockdown and getting the economy growing again. The ICO [Information Commissioner’s Office] should have taken action, but did not. We were forced to threaten judicial review to ensure that people’s privacy is protected.

“The ICO and Parliament must ensure that Test and Trace is operating safely and lawfully. As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken.”

Speaking on Twitter, Killock said that the government had obfuscated its initial responses to the group’s concerns and noted that it had taken the threat of a judicial review to force its admission.

He said that since the programme was operating unlawfully, and there was evidence of some data breaches, the ICO now needed to step in and take enforcement action instead of operating as a “critical friend”.

A DHSC spokesperson said: “There is no evidence of data being used unlawfully. NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.

“We have rapidly created a large-scale test and trace system in response to this unprecedented pandemic. The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”

Computer Weekly understands that different elements of the programme have had DPIAs carried out, and that the DHSC is now trying to consolidate these, along with any additional analysis that may be pertinent, into an assessment for the programme as a whole.

Nevertheless, the ICO’s guidance holds that organisations must complete a full DPIA if they plan to process data that is “is likely to result in a high risk to individuals”, as any data related to people who have tested positive for Covid-19 surely is.

The assessment must establish the nature, scope, context and purpose of data processing, as well as its necessity, proportionality and compliance. The processor must also identify and assess risks to members of the public and set out measures to mitigate them; identify and assess risks to individuals; and identify measures to mitigate said risks.

Ravi Naik, legal director of the new data rights agency AWO, who acted on behalf of ORG, said: “The government has made two significant concessions to our clients. Firstly, when asked to justify retaining Covid-19 data for 20 years they couldn’t do so and agreed to reduce the period to eight years.

“Secondly, they have now admitted Test and Trace was deployed unlawfully. This is significant. It is a legal requirement to conduct an impact assessment before data processing takes place. No impact assessment has been conducted for Test and Trace. By failing to conduct the appropriate assessment, all the data that has been collected – and continues to be collected – is tainted.

“These legal requirements are more than just a tick-box compliance exercise. They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices,” said Naik. The implications of the government’s concessions, he added, could be widespread.

Read more about contact-tracing privacy

Read more on Privacy and data protection