Jo Panuwat D - stock.adobe.com

MPs accuse ICO of failing to do its job on contact-tracing data

Cross-party group of MPs say the ICO has failed to enforce data protection standards or hold the government to account over the unlawful Test and Trace programme

A cross-party group of MPs, mustered by privacy campaigners at the Open Rights Group, have challenged the Information Commissioner’s Office (ICO) to account for what they say is its failure to enforce data protection standards and hold the government to account over its Covid-19 Test and Trace programme.

The Test and Trace programme has been operating unlawfully since its inception because the Department for Health and Social Care (DHSC) did not bother to complete a mandatory Data Protection Impact Assessment (DPIA), as per ICO rules.

Open Rights Group executive director Jim Killlock said there was “something rotten” at the heart of the ICO that was making the organisation tolerate unlawful behaviour by the UK government.

“The ICO is a public body, funded by the taxpayers, and accountable to Parliament. They must now sit up, listen and act. As a regulator, ICO must ensure that the government upholds the law. They must heed the lessons from what’s happened to Public Health England. The only way to avoid that fate is to enforce the law and discharge their legal responsibility properly,” said Killock.

In an open letter to the ICO, the MPs called on information commissioner Elizabeth Denham to “properly act” and demand the government make changes to the Test and Trace programme to establish public confidence that their data is being processed safely and legally.

Green Party MP Caroline Lucas, one of 22 MPs to have signed the letter, said: “Running a risk assessment on data protection is not an optional extra. It’s a legal requirement and it’s essential if people are to be reassured that when they hand over their data to contact tracers, that data won’t be misused. 

“We will only get through this Covid pandemic if there is trust in ministers and in the systems they put in place,” said Lucas. “That trust is already being stretched wafer thin. If people are to have confidence in the Test and Trace system, there must be an assessment of the risk of data leaks and measures put in place to prevent them.”  

Co-signatory Daisy Cooper, a Liberal Democrat MP and the party’s DCMS spokesperson, added: “The government has seemingly played fast and loose with data protection measures that keep people safe. The public needs a data regulator with teeth: the ICO must stop sitting on its hands and start using its powers – to assess what needs to change and enforce those changes – to ensure that the government is using people’s data safely and legally.”  

The SNP’s John Nicholson said: “A weak regulator failing to hold the government to account risks the health and safety of people in Scotland and whole of the UK. Failure to deal with privacy concerns endangers public health. The government and the ICO both need to take this very seriously.”

Toni Vitale, head of data protection at law firm JMW, said that the failure to carry out a DPIA put the NHS and government in breach of both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and put the NHS at risk of enforcement action and a hefty fine.

“The government said there is no evidence of data being used unlawfully or any risk to individuals, but they cannot possibly know that without carrying out a DPIA. Perhaps this is another example of one law for the government and another for the rest of us,” he said.

“It does not set a good example, particularly as lots of organisations are now processing data about their employees – and, in some case, customers – including new data about Covid-19 test results. Some of these organisations will need to perform a DPIA, and the government/NHS should do so,” added Vitale.

In response to the letter, an ICO spokesperson said: “Our regulatory obligations include advising as well as supervising the work of data controllers. Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK government, the NHS, local councils and private sector organisations to respond to the public health crisis.

“We understand and recognise the government and other organisations had to act quickly to deal with the national health emergency, and we have explained their data protection obligations and provided guidance and expertise at pace to them. We have published much of this work so there is transparency, and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.

“We will continue to uphold people’s information rights, and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.”

Elizabeth Denham, a Canadian national, has also faced criticism and calls for her resignation after she was found to be working from her home in British Columbia on Canada’s west coast, eight hours removed from the UK.

The revelation was met with anger among data protection campaigners, many of whom accused her of abandoning her post at a crucial time, although the ICO said Denham was keeping UK office hours and working closely with her team. She is due to return to the UK in September.

Read more about Test and Trace

Read more on Privacy and data protection