England’s Covid-19 test and trace programme was deployed unlawfully, the government has revealed.
The admission follows a legal challenge from privacy rights organisation, Open Rights Group (ORG), and marks a significant blow for the government as it aims to curb the spread of the virus and prevent a second wave.
Earlier this month, data rights agency AWO issued a pre-action letter on behalf of ORG to Matthew Hancock, secretary of State for Health and Social Care. The privacy rights group called on the government to publish a Data Protection Impact Assessment (DPIA) for the Test and Trace system.
Despite going live on the 28th May, the Department of Health and Social Care (DHSC) admitted the system had been deployed without carrying out any impact assessments.
“They have now admitted Test and Trace was deployed unlawfully. This is significant,” said Ravi Naik, legal director of AWO.
Test and Trace
England’s Test and Trace programme is a voluntary scheme which relies on the public sharing sensitive personal information, such as names, postcodes, places they have visited and who they live with.
The system also requires people to disclose the names and contact information of people they have been in recent contact with. This also applies to recent sexual partners.
According to government statistics, from 28th May to 8th July 34,990 positive cases of coronavirus were transferred to the contract-tracing system. Of these, 26,742 were reached by operators and asked to disclose details of recent close contacts.
155,889 close contacts were reached through the contract-tracing system and asked to self-isolate out of a total of 185,401 people identified.
This data is crucial to tracing and combating the spread of the virus, which so far has killed more than 45,000 people across the UK. Given the highly sensitive data being collected through Test and Trace, the government’s failure to carry out an impact assessment is a matter of deep concern for privacy rights campaigners.
Organisations are legally obliged to carry out a DPIA before processing any personal information. These impact assessment’s establish whether personal data can be abused or misused, and are a strict legal requirement under GDPR legislation and the UK Data Protection Act.
The government’s failure to carry out due diligence in this regard, Naik insisted, means that the data collected so far is “tainted”.
“These legal requirements are more than just a tick-box compliance exercise. They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system,” he explained. “Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”
Writing on behalf of Matt Hancock, the Government Legal Department told ORG that it “would have been preferable for there to have been a single DPIA in place prior to the commencement of the Programme”.
However, the government insisted that the absence of a DPIA does not mean it has breached data protection legislation.
“The absence of a DPIA for every aspect of the Programme cannot be and should not be equated with a failure to ensure that the protection of personal data has been an important part of the Programme’s design and implementation,” the letter reads.
ORG director Jim Killock warned the government’s admission could have huge long-term repercussions for both public health and trust.
“A crucial element in the fight against the pandemic is mutual trust between the public and government, which is undermined by their operating the programme without basic privacy safeguards,” he said.
“The government bears responsibility for the public health consequences,” he added.
This recent blow for the government marks the second round of controversy in the space of a month. A report published by The Times on 12th July revealed that contact tracers were sharing sensitive information on social media platforms.
Personal details belonging to Covid-19 patients were shared on WhatsApp and Facebook, with screenshots containing personal information such as names, NHS numbers, contact details and even case IDs of those who tested positive for the virus.