lawyermonthly 1100x100 oct2024eb sj lawyermonthly 800x90 dalyblack (1)

England’s Test and Trace Programme in “Unlawful” Breach of GDPR

In this Article
Reading Time:
2
 minutes
Posted: 20th July 2020 by
Lawyer Monthly
Last updated 20th July 2020
Share this article

New admissions by the Department of Health indicating that its contact-tracing initiative was carried out without proper impact assessment has reignited accusations of unlawful conduct.

The Department of Health has conceded that its initiative aimed at tracing contacts of people infected with the COVID-19 virus was launched without conducting an assessment of its impact on the privacy of those involved.

Under General Data Protection Regulation (GDPR), data protection impact assessments are legally required to be made as part of any project that involves processing personal data. By admitting its failure to comply with this regulation, the Department of Health has conceded that its coronavirus contact-tracing system has been operating unlawfully since its launch on 28 May, according to the Open Rights Group (ORG).

To track the spread of COVID-19 infections, the Track and Trace programme requires people to share information that may be sensitive. This includes their name and address, people they live with, places they have visited and the names and contact details of people who have been in close contact with them, which may include sexual partners.

Jim Killock, executive director of ORG, described the government’s bypassing of the assessment process “reckless” and an endangerment of public health.

A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards," he said.

[ymal]

Defending the programme, Education Secretary Gavin Williamson has stated that “In no way has [there] been a breach of any of the data that has been stored”.

Other legal specialists have also criticised the government’s actions. Susan Hall, partner and specialist in information and communications technology atClarke Willmott LLP, commented: “If no Data Privacy Implementation Assessment (DPIA) has been carried out for the NHS Test and Trace app, the Government is in blatant breach of Article 35 GDPR which requires DPIAs in these circumstances.

The Government comment that “there is no evidence of data being used unlawfully” betrays a fundamental misunderstanding of the purpose of DPIAs,” she continued. “As Recital 90 GDPR makes clear, DPIAs are intended to be carried out before any processing takes place, as a way of finding out where the risks of data leakage or misuse exist in the proposed scheme and pre-emptively blocking those risks, e.g. by enhanced technical or organisational security measures. It was clear from an early stage that Test and Trace programmes would be needed so the DPIA should have been carried out then.”

Parallel contact-tracing schemes are being carried out in Scotland, Wales and Northern Ireland, but have not been accused of failing to comply with GDPR alongside their English counterpart.

Sign up to our newsletter for the latest Government Updates
Subscribe to Lawyer Monthly Magazine Today to receive all of the latest news from the world of Law.

About Lawyer Monthly

Lawyer Monthly is a news website and monthly legal publication with content that is entirely defined by the significant legal news from around the world.