The Department of Health has conceded that its initiative aimed at tracing contacts of people infected with the COVID-19 virus was launched without conducting an assessment of its impact on the privacy of those involved.
Under General Data Protection Regulation (GDPR), data protection impact assessments are legally required to be made as part of any project that involves processing personal data. By admitting its failure to comply with this regulation, the Department of Health has conceded that its coronavirus contact-tracing system has been operating unlawfully since its launch on 28 May, according to the Open Rights Group (ORG).
To track the spread of COVID-19 infections, the Track and Trace programme requires people to share information that may be sensitive. This includes their name and address, people they live with, places they have visited and the names and contact details of people who have been in close contact with them, which may include sexual partners.
Jim Killock, executive director of ORG, described the government’s bypassing of the assessment process “reckless” and an endangerment of public health.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards," he said.
[ymal]
Defending the programme, Education Secretary Gavin Williamson has stated that “In no way has [there] been a breach of any of the data that has been stored”.
Other legal specialists have also criticised the government’s actions. Susan Hall, partner and specialist in information and communications technology atClarke Willmott LLP, commented: “If no Data Privacy Implementation Assessment (DPIA) has been carried out for the NHS Test and Trace app, the Government is in blatant breach of Article 35 GDPR which requires DPIAs in these circumstances.”
“The Government comment that “there is no evidence of data being used unlawfully” betrays a fundamental misunderstanding of the purpose of DPIAs,” she continued. “As Recital 90 GDPR makes clear, DPIAs are intended to be carried out before any processing takes place, as a way of finding out where the risks of data leakage or misuse exist in the proposed scheme and pre-emptively blocking those risks, e.g. by enhanced technical or organisational security measures. It was clear from an early stage that Test and Trace programmes would be needed so the DPIA should have been carried out then.”
Parallel contact-tracing schemes are being carried out in Scotland, Wales and Northern Ireland, but have not been accused of failing to comply with GDPR alongside their English counterpart.