Get the latest on coronavirus. Sign up to the Daily Brief for news, explainers, how-tos, opinion and more.
England’s NHS coronavirus Test and Trace programme has broken a key data protection law, privacy campaigners have warned.
In a letter to the Open Rights Group (ORG), the Department of Health and Social Care (DHSC) acknowledged it had failed to carry out a risk assessment on how the Covid-19 tracing programme would affect privacy.
The ORG – which has threatened the government with legal action – said this means the system has been operating unlawfully since it launched on May 28.
What does the law say?
A Data Protection Impact Assessment (DPIA) helps to identify and mitigate risks relating to the use of personal data.
A DPIA assessment is a requirement under General Data Protection Regulation (GDPR) laws.
Responding to a letter from the ORG – a privacy campaign group – the government confirmed that while a DPIA is a legal requirement – it had not yet been completed for the Test and Trace programme.
The letter from DHSC, which is dated July 15, said the legal requirement is being “finalised”.
A spokesperson for the department said there was “no evidence” of data being used in an unlawful way.
Speaking on BBC Breakfast on Monday, education secretary Gavin Williamson said: “In no way has [there] been a breach of any of the data that has been stored.”
He added: “I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed.... Are you really advocating that we get rid of a test and trace system? I don’t think you are.”
But Silkie Carlo, director of privacy campaign group Big Brother Watch, said it was wrong for ministers to “brush these serious errors aside”.
“Public health relies on public trust in medical confidentiality,” Carlo said.
“The government’s disregard for privacy underpins a succession of major contact tracing failures over the past four months. This not only undermines citizens’ rights, but endangers public health too.”
She added: “It shouldn’t be down to NGOs to keep raising the alarm, the Information Commissioner should be doing her job of ensuring these huge data collection systems are at least lawful. So much is at stake.”
Jim Killock, executive director of ORG called the government’s behaviour “reckless”.
“We have a ‘world beating’ unlawful Test and Trace programme,” he said.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”
Ravi Naik, legal director of the data rights agency AWO, instructed to act on behalf of ORG, said that failing to carry out the “appropriate assessment” meant all data collected is “tainted”.
“These legal requirements are more than just a tick-box compliance exercise,” he said.
“They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”
A DHSC spokesperson said: “There is no evidence of data being used unlawfully.
“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.
“We have rapidly created a large-scale test and trace system in response to this unprecedented pandemic.
“The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”