Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Coronavirus: England’s test and trace programme ‘breaches data laws’, privacy campaigners say

Government scheme failed to conduct assessment required by GDPR law before launching

Tim Wyatt
Monday 20 July 2020 12:42 BST
Comments
The government launched its test and trace programme in May but failed to complete a mandatory impact assessment on data protection first
The government launched its test and trace programme in May but failed to complete a mandatory impact assessment on data protection first (PA)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

England’s test and trace coronavirus programme has broken data protection laws, privacy campaigners and data protection lawyers have said.

Under the General Data Protection Regulation (GDPR) every project which involves people’s data must first conduct an impact assessment on privacy.

However, the Department for Health and Social Care has now admitted its flagship test and trace scheme, which involves those infected with Covid-19 passing on personal information and the details of those they have been in contact with, was launched in May without any such assessment.

The oversight was first brought to light by the digital privacy campaigners Open Rights Group (ORG).

They argue the lack of a data protection impact assessment means test and trace has been unlawful from the beginning.

“The reckless behaviour of this government in ignoring a vital and legally required safety step known as the data protection impact assessment has endangered public health,” said the executive director of the ORG, Jim Killock.

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”

The 27,000 staff of England’s test and trace programme contact people who may have been infected by someone who has tested positive for coronavirus.

As well as asking them to self-isolate for two weeks in case they also have the virus, the contact tracers can ask them to share who they live with, where they have been recently, and the names and contact details of anyone they have been in close contact with.

So far, more than 150,000 people have come into contact with the test and trace programme. Scotland, Wales and Northern Ireland all run their own test and trace schemes, independent of the NHS England one.

Magnus Boyd, an information security lawyer at the firm Schillings, told The Independent the government had unambiguously broken the law.

“There’s no way that the government could fudge this. It’s very clear on the face of the legislation that an impact assessment is required in these circumstances.”

“What if this data was to leak in some way? Date of birth, sex... you might argue these aren’t particularly sensitive but somebody’s NHS number is hugely sensitive [as is] their Covid-19 symptoms.”

Matt Hancock says test and trace 'app won't work because Apple won't change their system'

The Information Commissioner’s Office (ICO), which regulates data protection, said in a statement it was working with the government to make sure test and trace is in line with the legal requirements on processing personal data.

“It is an organisation’s responsibility to complete a data protection impact assessment as a way of identifying and addressing key privacy questions,” the statement said.

The ICO also said it was acting as a “critical friend” to the government as it recognised the test and trace programme was rolled out at high speed in the middle of a pandemic.

Nevertheless, the public needed to know “how their data will be safeguarded and how it will be used” if they were to have trust in the scheme and continue to give it their personal details and those of their friends.

A Department for Health and Social Care spokeswoman said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”

But the ORG is not satisfied and is currently crowdfunding to start a legal action to force the government to conduct a DPIA.

“We are forced to take action, because the Information Commissioner is not doing its job,” the advocacy group’s website states. “When the regulator fails, it is up to us to step in.”

So far, they have raised more than £3,000. Mr Boyd agreed that the ICO should not allow the government to break data protection law simply because of the extraordinary circumstances of the pandemic.

“They should come down hard on the government so that it sends a message that impact assessments are a vital part of the whole architecture of the GDPR,” he said.

“The government cannot be exempt from the sort of pressure that small businesses are under. It would look like one rule for the little guy and one rule for the government.”

Judging by comparable cases in other EU nations, he suggested if the ICO did sanction the government a likely fine would be in the range of £300,000 to £500,000, significantly short of the highest fine possible under GDPR of €10m, or just over £9m.

Others have also raised concerns about the test and trace programme in the past. The Labour peer Lord Hain accused the government last month of sharing data from test and trace “on unnecessarily favourable terms to large companies”.

The Independent also revealed on Sunday the project may be struggling to achieve its main goal of controlling the spread of Covid-19.

Leaked public health analysis showed the service was failing to reach more than half of contacts named by infected residents across the north-west of England, including council areas such as Blackburn with Darwen which has been hit hard by an outbreak.

The government’s scientific advisory group has said at least 80 per cent of those named by infected locals should be contacted within 48 hours in order to stop a new surge in cases.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in