Government admits coronavirus track and trace programme broke data protection laws

The Department of Health and Social Care (DHSC) confirmed it failed to carry out a risk assessment on how the system would affect the privacy of its subjects.

Open Rights Group (ORG) claims that the programme, which tracks people who have come into contact with someone confirmed to have coronavirus, has been operating unlawfully since its launch on May 28 and has threatened legal action.

But a spokesman for the DHSC said there is ‘no evidence’ of data being used in an unlawful way.

Carrying out a Data Protection Impact Assessment (DPIA) – which helps to identify and mitigate risks relating to the use of personal data – is a requirement under General Data Protection Regulation (GDPR) laws introduced in May 2018.

In response to a pre-action letter from privacy campaigning organisation ORG, the government confirmed that, while a DPIA is a legal requirement, it has not yet been completed.

The letter from DHSC, which is dated July 15, said the legal requirement is being ‘finalised’.

Calling the government’s behaviour ‘reckless’, Jim Killock – executive director of ORG – said: ‘We have a ‘world beating’ unlawful Test and Trace programme.

‘A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.’

‘As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken,’ he said in reference to a report in the Sunday Times which found tracers were sharing patients’ confidential data on Facebook.

Ravi Naik, legal director of the data rights agency AWO, instructed to act on behalf of ORG, said that failing to carry out the ‘appropriate assessment’ meant all data collected was ‘tainted’.

‘These legal requirements are more than just a tick-box compliance exercise,’ he said.

‘They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.’

ORG is just one group to raise privacy concerns over the scheme, with a former cabinet minister also previously warning of ‘serious errors’ in its implementation.

Labour’s Lord Hain said last month that the NHS had failed to carry out its legal data protection obligations prior to the launch and had entered into data-sharing relationships ‘on unnecessarily favourable terms to large companies’.

Liberal Democrat health, wellbeing and social care spokesperson Munira Wilson said:

‘The fact that the government have potentially broken the law is just another example of ministers’ disastrous handling of test and trace. For the Department of Health to admit there was no consideration on the impact this would have on our privacy shows that this government is simply walking into blunder after blunder, failing to get a grip on this crisis.

‘Of course mass testing, contact tracing and isolation at the community level for those who test positive, is the only safe way out of lockdown, but protecting individuals’ privacy remains of the utmost importance.

‘The Liberal Democrats have been clear that as long as there is absolute transparency when it comes to what information is collected, how long it is stored for, and who has access to this data, the government can mitigate the concerns people have.

‘Ministers must get a grip of test and trace system if they are to keep people safe from coronavirus. They must do everything they can to not only protect people’s data and keep the public’s trust, but ensure we get an effective app up and running as soon as possible.’

A DHSC spokesman said that there is no evidence of data being used ‘unlawfully’.

‘NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,’ they said.

‘We have rapidly created a large-scale test and trace system in response to this unprecedented pandemic.

‘The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.’