Since the 28th of May, over 150,000 people have used England’s new Test and Trace scheme to try and combat the coronavirus pandemic. The government, unfortunately, is yet to provide a risk assessment about how it will protect personal information. Unless the government provides the details by the 8th of July, it will be taken to court. Lawyers for the organisation Open Rights Group (ORG), which works on privacy and free speech, have issued UK Health Secretary Matt Hancock with a legal letter stating that the Department of Health and Social Care has breached GDPR in their failures to conduct the aforementioned risk assessment.
A Data Protection Impact Assessment (DPIA) is a requirement under GDPR. The assessment enables people’s personal data to be protected and allows organisations to see potential risks surrounding the collection and use of personal data, including whether this information can be abused.
Thus far, the Test and Trace system has been criticised for failing to contact approximately a quarter of those who have tested positive for the virus. Prior to the Test and Trace system, there was a contact tracing app developed by the NHS, though this collapsed, and also did not conduct a DPIA.
The executive director at ORG, Jim Killock, explained why a risk assessment is so important, saying,
Just because there’s a medical emergency doesn’t mean that you just forget about basic data protection safeguards. What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.
If people end up thinking these programs are untrustworthy, and that they shouldn’t participate, you have a really serious public health problem. I think the government failing to do Data Protection Impact Assessments is reckless.
One of the concerns is the long list of third-party organisations involved in the collection of data for the Test and Trace app. The list includes notable companies like Serco UK, SITEL Group and Amazon Web Services.
Since the app was launched, ORG has been asking for the details of the DPIA, and have stated there have been delays in the response from the Health Department. The legal complaint sent to the DHSC, PHE and Matt Hancock on the 1st of July claimed that the app’s processing of data was breaching Article 35 of GDPR. ORG has also stated that if a full review and risk assessment is not completed by the 8th of July, they will file for a judicial review of the system.
A spokesperson for the DHSC stated that they’re unable to make a comment on ongoing or potential legal cases against the department. Though, it has emerged that a private secretary at the DHSC emailed ORG, stating, “there were DPIAs – and accompanying privacy notices – undertaken for both the testing and contract tracing advisory service (CTAS) aspects of the programme, which augment pre-existing assessments regarding public health tracing functions”.
AWO, the solicitors representing ORG, has stated in a letter that a DPIA should have been used for the whole Test and Trace system, not just parts.
Ravi Naik, the director of AWO stated,
The data protection regime is not a compliance tick box exercise. It’s about identifying the risks to fundamental human rights. Through that process, you can understand and mitigate against risks that arise.
Three weeks passed since our first letter, where we asked questions about the system. In response, they just changed the retention period from 20 years to eight. There was no explanation.
The ICO, the UK’s data protection watchdog said it’s reviewing a DPIA for the service and is carrying out a risk assessment.
A spokesperson for the ICO said,
The ICO recognises the urgency in rolling out the Test and Trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated.
They added that their aim was to also “find out more about their processing, to understand the data protection implications of the test and trace programme and its ecosystem” and ensure legal requirements were being met.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.