Government admits its test and trace programme broke data protection law as privacy campaigners call the scheme ‘reckless’ and ‘rushed-out’
- Department of Health admitted it did not carry out privacy impact assessment
- This has led campaigners to claim test and trace programme breaks data laws
- The government insists that there is no evidence of data being used unlawfully
The government has admitted its test and trace programme broke data protection laws after being challenged by privacy campaigners.
The Department of Health and Social Care (DHSC) wrote to the Open Rights Group (ORG) to say the scheme was launched without an assessment of its impact on privacy.
Carrying out the assessment — which helps to identify and mitigate risks relating to use of personal data — is a requirement under GDPR laws.
ORG argued the concession meant the scheme has been unlawful since it started on May 28 — but DHSC denies that any data has been used in an unlawful manner.
ORG is just one group to raise privacy concerns over the scheme, with an ex-Cabinet minister also previously warning of ‘serious errors’ in its implementation.
The Department of Health and Social Care admitted that a privacy impact assessment was not carried out by the government on its test and trace programme
The Department of Health says there is no evidence data has been used in an unlawful manner
Labour’s Lord Hain said last month that the NHS had failed to carry out its legal data protection obligations prior to the launch.
And he added officials had entered into data sharing relationships ‘on unnecessarily favourable terms to large companies’.
The track and trace app was trialled on the Isle of Wight but officials have suggested it may not be ready to roll out across the UK until the winter.
There have been privacy concerns around the world over the use of Covid-19 tracing apps, with Norway last month halting its programme.
Jim Killock, executive director of Open Rights Group, told BBC Radio 4 today: ‘The government is simply not going through the basic checks to make sure the system is safe to operate.
‘They failed to conduct a data protection impact assessment and that means they haven’t done the basic check to make sure data is handled safely.
‘It’s taken them six weeks to admit that and that means we have no idea what kind of data risks are going on under the surface.
‘For instance, a week ago there was a story about contact tracers having such bad IT systems that they were reporting to Facebook and Whatsapp groups to share information, so patient information was being shared on those groups.’
Mr Hancock will give in to local councils and allow access to the names and data of people in their areas who have tested positive for coronavirus, sources say. Pictured: A drive-through test centre in Chessington in May
He added it was a worry the programme’s privacy issues could lead to less people giving their details, risking a rise in infections.
As part of the programme designed to contain the coronavirus, people are asked to share sensitive personal information.
This can include: their name, date of birth and postcode; who they live with; places they recently visited; names and contact details of people they have recently been in close contact with, including sexual partners.
Liberal Democrat MP Layla Moran said: ‘This admission shows the government made a colossal misjudgement in ignoring calls to carry out a full data protection assessment when the test and trace system was launched.
‘Public trust is critical for test and trace to succeed, and that means people need to be reassured that their personal data will be safe.
‘The government must urgently complete its data protection assessment and put in place stronger safeguards to ensure that personal information collected to combat this pandemic isn’t misused or stored longer than necessary.
‘We cannot afford for public confidence in the test and trace programme to be undermined further ahead of a potential second wave this winter.’
Meanwhile, on Sunday The Observer reported Health Secretary Matt Hancock is set to announce local authorities will be able to access the named data of coronavirus cases as long as they abide by strict rules on data protection.
Mr Hancock will give in to local councils and allow access to the names and data of people in their areas who have tested positive for coronavirus.
Local authorities are said to have been calling for full access to ‘named patient data’ in order to properly tackle local outbreaks.
And now the health secretary will announce that public health directors working with councils will be able to access the named data – as long as they abide by strict rules on data protection.
An unnamed Government source told The Observer: ‘Subject to necessary data safeguards, we will enhance the level of this detail to ensure that local public health teams on the ground have the information they need to fight this virus.’