England’s Test and Trace programme for coronavirus has failed to abide by a key data protection law, privacy campaigners say today.
The government has admitted it did not form a comprehensive “data protection impact assessment” before rolling out the mass data-gathering scheme.
Campaigners the Open Rights Group (ORG) claim that is a breach of Article 35 of the General Data Protection Regulations, agreed EU-wide in 2016.
The Test and Trace scheme tracks down recent contacts of anyone who’s tested positive for Covid-19 and asks them to isolate for 14 days.
It involves giving highly personal details including names, addresses and people with whom you’ve had close contact.
The ORG – which forced the admission by launching a legal challenge – said the government’s behaviour was “reckless”.
ORG executive director Jim Killock demanded “emergency remedial steps” after individual firms “shared patient data on social media”.
He said: “The reckless behavior of this Government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health.
“The Information Commissioner and Parliament must ensure that Test and Trace is operating safely and lawfully.”
Health Department officials insisted a number of data protection impact assessments (DPIAs) have been carried out on different elements of the Test and Trace programme.
But they admitted “further work is required” to ensure they comprehensively cover all aspects of the scheme.
Officials are now “consolidating” the various DPIAs.
Education Secretary Gavin Williamson dodged saying if the programme had been put in place unlawfully. But he insisted people’s actual data had not been breached or used unlawfully.
He told the BBC: “If we are to defeat this virus we do need to have a Test and Trace system – and we had to get that up and running at incredible speed.
“Are you really advocating that we get rid of the Test and Trace system? I don’t think you are.
“Because you know how important this is to keep people safe, and make sure we don’t have a second spike.”
But Lib Dem MP Layla Moran said: “This admission shows the government made a colossal misjudgement in ignoring calls to carry out a full data protection assessment when the Test and Trace system was launched.
“Public trust is critical for Test and Trace to succeed, and that means people need to be reassured that their personal data will be safe.
“The government must urgently complete its data protection assessment and put in place stronger safeguards to ensure that personal information collected to combat this pandemic isn’t misused or stored longer than necessary.
“We cannot afford for public confidence in the Test and Trace programme to be undermined further ahead of a potential second wave this winter.”
The government’s admission is contained in a legal reply to the ORG.
That letter said: “The extremely serious risk to life and health posed by COVID-19 has obliged the Government to take unprecedented, vital steps at high speed.”
But it added: “Various aspects of the Programme have been the subject at earlier stages of their development of a bespoke DPIA, all of which remain under review and which have informed internal decision-making.”
And the letter said: “Nothing in Article 35 is prescriptive about precisely how the DPIA should be conducted. There is no reason, for example, in principle why the obligation could not be met by reference to more than one document (howsoever labelled), so long as they together address all the matters required by Article 35.”
Ravi Naik, Legal Director of the data rights agency AWO, said: “The Government has made two significant concessions to our clients.
“Firstly, when asked to justify retaining COVID-19 data for 20 years they couldn’t do so, and agreed to reduce the period to 8 years.
“Secondly, they have now admitted Test and Trace was deployed unlawfully.
“This is significant. It is a legal requirement to conduct an impact assessment before data processing takes place.
“No impact assessment has been conducted for Test and Trace. By failing to conduct the appropriate assessment, all the data that has been collected – and continues to be collected – is tainted.”
Defending the government, Cabinet minister Mr Williamson told BBC Breakfast: “It’s been quite an exceptional period of our history that we’ve been living through.
“And decisions have had to be made with speed and actions have had to be taken we wouldn’t usually have been taking.
“Test and Trace is at the absolute core if we are to defeat this virus, making sure we contact the people who have got coronavirus, make sure we have an understanding who they’ve been in contact with so they can self-isolate.
“But their individual data, the information that they give, is treated with the absolute highest security. It is not shared.
“There’s not been any instances where this has happened. The security of that data is absolutely vital and the government and all agencies working with the government understand the importance of that.”
Asked if it breached the law, he instead replied: “At no stage has any of this information gone out nor will it go out. It’s treated with the absolute greatest and highest security.”
A Department of Health and Social Care spokesman said: “There is no evidence of data being used unlawfully.
“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.
“We have rapidly created a large scale test and trace system in response to this unprecedented pandemic.
“The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”