Government admits Test and Trace programme 'breaches data protection law'

20 July 2020, 10:37

The test and trace system 'breaches privacy regulations'
The test and trace system 'breaches privacy regulations'. Picture: PA

By Maddie Goodfellow

The government has admitted that its Test and Trace programme in England has breached a data protection law.

The Department of Health has said that the initiative, which was put in place to trace anyone who may have been in contact with someone infected with Covid-19, was launched without any assessment of its impact on privacy.

In a legal letter, the government said that it did not conduct a data privacy impact assessment (DPIA).

This is required legally to ensure that breaches of patient information don't take place.

The letter was in relation to a legal challenge brought by Open Rights Group (ORG) after the government failed to confirm whether it has reached its legal safeguards.

The test and trace system involves people being asked to share sensitive personal information, which can include:

- Their name, date of birth and postcode

- Who they live with

- Places they recently visited

- Names and contact details of people they have recently been in close contact with, including sexual partners.

The ORG has threatened legal action against the government in order to force it to conduct a DPIA, however the letter proved that this was never carried out.

The government has since told the ORG it is working with the Information Commissioner's Office to make sure that data is processed in accordance with the requirements of the law.

ORG's executive director, Jim Killock, said the government had broken "mutual trust" and "endangered public health" in ignoring this.

"A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards," he said.

The ICO is already investigating the Test and Trace programme after a Sunday Times claimed that dome of the government's contact tracers had posted private patient data into WhatsApp and Facebook groups.

A Department of Health spokeswoman said: "NHS Test and Trace is committed to the highest ethical and data governance standards - collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations."

Ravi Naik, a lawyer at the AWO data rights consultancy, said: "These laws ensure that risks are mitigated before processing occurs, to preserve the integrity of the system."

"Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.

"The ORG had already won a concession from the government. It had originally planned to keep data for 20 years but has now cut that to eight years."

Scotland, Wales and Northern Ireland all have their own contact tracing schemes, however none of these have been accused of data breaches.

Since the test and trace programme was launched, its 27,000 staff have contacted more than 155,000 people, who may have been infected with the virus, and asked them to go into isolation.