UK Government Fails to Meet GDPR Requirement in Test and Trace Program

Written by

The UK government has failed to meet a crucial General Data Protection Regulation (GDPR) requirement in its COVID-19 Test and Trace program, putting people’s privacy rights at risk, according to the Open Rights Group (ORG).

This follows an admission by the UK’s Department of Health to the group that it has not conducted a data protection impact assessment (DPIA) – a GDPR requirement to identify and minimize data protection risks in projects that process personal information.

“The public can’t trust the program because a vital (and legally required) safety step known as a DPIA was dangerously ignored,” said the ORG in a statement.

Test and Trace was introduced in England on May 28 as part of the government’s strategy of easing COVID-19 lockdown restrictions. Under the initiative, the National Health Service (NHS) attempts to trace close recent contacts of anyone who tests positive for the virus, and if necessary, inform them that they need to self-isolate. This involves people being asked to provide sensitive data including their name, date of birth, postcode, who they live with and places they have recently visited, leading to privacy fears.

The ORG added: “The Test and Trace program has been rushed; private contractors have been employed to deliver it with large numbers of new employees. Many systems have been bolted together at short notice.

“We are doing everything we can to ensure the Test and Trace Program is made safe. That’s why we’re threatening legal action unless a proper DPIA is conducted immediately.”

In its letter to the ORG, the government said it was working with the Information Commissioner's Office (ICO) to ensure it is meeting its requirements under the GDPR.

Quoted by the BBC, a Department of Health spokesperson said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”

Jonathan Armstrong, partner at legal firm Cordery, commented: “A DPIA will be an essential element of any program like this and we know from the Facebook investigation in Ireland that a DPIA is important from a regulatory perspective. 

“It is also important in establishing trust. Failing to do a DPIA becomes all the more important in this context – trust is key and any allegation that processing has taken place unlawfully destroys that trust.”

Darren Wray, CTO at Guardum, added: “The revelation that a DPIA was not performed as part of the track and trace project shows exceedingly poor governance and control. In the private sector, organizations are expected to ensure that data privacy and protection controls are a part of their business as usual processes, not something that is revisited in hindsight.” 

What’s hot on Infosecurity Magazine?