The government has been forced to admit that it deployed the COVID-19 Test and Trace programme unlawfully without a Data Protection Impact Assessment (DPIA), following a legal challenge from privacy campaigning organisation Open Rights Group (ORG).

The Department of Health and Social Care (DHSC) made its admission after ORG threatened to take it to court unless it agreed to immediately conduct a DPIA.

The admission effectively means that the government’s entire Test and Trace programme has been operating unlawfully since its launch on 28 May.

Jim Killock, executive director of ORG, commented: “The reckless behaviour of this government in ignoring a vital and legally required safety step of a DPIA has endangered public health.

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards."

Killock argued that data protection regulator the Information Commissioner's Office (ICO) should have taken action.

“The ICO and parliament must ensure that Test and Trace is operating safely and lawfully - as we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken.”

Ravi Naik, legal director of the data rights agency AWO, which was instructed to act on behalf of ORG, explained that the government has made two significant concessions. "Firstly, when asked to justify retaining COVID-19 data for 20 years they couldn’t do so, and agreed to reduce the period to 8 years.

“Secondly, they have now admitted Test and Trace was deployed unlawfully - by failing to conduct the appropriate assessment, all the data that has been collected - and continues to be collected - is tainted.

Naik added: "These legal requirements are more than just a tick-box compliance exercise, they ensure that risks are mitigated before processing occurs, to preserve the integrity of the system - instead, we have a rushed-out system, seemingly compromised by unsafe processing practices."

In May, the NHS did provide a DPIA for contact tracing app trial on the Isle of Wight, asking the ICO to identify any potential risks.

But Michael Veale, a privacy expert at UCL, analysed the DPIA and warned that it indicated significant legal flaws

“The DPIA reads like a fight between PR folk wanting to say it is anonymous, and data protection folk needing to say legally, it is not,” he commented on Twitter. “DPIAs are no place for PR, this data is not anonymous.”

Veale went on to explain that the DPIA states collecting personal data is always done voluntarily. “It does not properly admit that this is not true: by design, the NHSX app works by other people uploading information about you, including third parties you were co-located with.”

Share Story: