The NHS has yet to assess the risks of holding Test and Trace data for 20 years

A smartphone displaying the NHS Covid-19 app
(Image credit: Shutterstock)

The NHS will retain the non-anonymised sensitive data of UK citizens engaged as part of the Test and Trace programme for up to 20 years, despite not having fully examined the data protection risks involved.

The government launched NHS Test and Trace, a manual contact-tracing programme, this week to help contain the spread of COVID-19 with lockdown measures beginning to lift.

As part of the scheme, led by Public Health England (PHE), people with coronavirus symptoms are encouraged to provide their own details, the contact details of people they’ve been in touch with, as well as details of any symptoms, if applicable.

PHE subsequently plans to retain this data for up to 20 years, in a non-anonymised format, despite conceding that it hasn’t yet completed a data protection impact assessment (DPIA), examining the risks involved.

‘We expect this to be published shortly’

The data collected under the scheme include full names, dates of birth, sex, NHS numbers, home postcodes and house numbers, telephone numbers and email addresses, and COVID-19 symptoms, including when they started.

Health data, of course, is classed as ‘special category data’ under GDPR and must adhere to a ten-point checklist. Crucially, as set out in Information Commissioner's Office (ICO) guidance, organisations must complete a DPIA for any type of processing “likely to be high risk”; with the presumption that the data processor is aware of the risks of processing special category data.

PHE will retain the personal data collected by NHS Test and Trace for people with COVID-19 symptoms for 20 years. The personal data of people who have been in contact with people with COVID-19 but who do not have symptoms themselves, meanwhile, will be kept for five.

When asked whether PHE has conducted a DPIA into its data collection and processing plans, a spokesperson told IT Pro: “Public Health England, supported by the NHS Business Services Authority, is preparing a data protection impact assessment for the NHS Test and Trace system, and expects to publish this shortly.”

Adopting a cautious approach?

The need to hold onto NHS Test and Trace COVID-19 data for up to 20 years has come as baffling news to many, especially given plans to immunise the population as soon as possible, and within 18 months ideally. There are also concerns over how securely this data can be held over the course of the next two decades, considering how rapidly security processes and threats are changing.

PHE, however, has justified the need for this limit based on the fact “COVID-19 is a new disease” and that it may be necessary to hold know who has been infected “to help control any future outbreaks or to provide any new treatments”.

Asked whether there is any scientific basis for the 20-year and five-year limits, a spokesperson reiterated to us the guidance provided in its privacy policy, adding the data will be held securely, and only be used to fight COVID-19.

Although it’s difficult to predict how the UK’s fight against COVID-19 will pan out, it’s widely expected that spread of the virus would be contained within the next five years, let alone the next 20. It’s difficult, therefore, to fully buy into PHE’s justification, though presumably these limits are being set out due to public health officials taking an abundance of caution.

Anonymising data ‘will defeat the point’

The Information Commissioner’s Office said data protection law doesn’t stipulate how long organisations should keep personal data, and that it’s up to individual organisations to justify their reasons for doing so.

“They should have clear policies in place and be transparent with people about how long they are keeping personal data and why,” an ICO spokesperson said. “If an organisation needs to keep details but does not need to identify individuals, it should anonymise the data so that identification is no longer possible.”

The spokesperson added the ICO would approach PHE to understand more about how NHS Test and Trace will guarantee that personal data is protected.

There are no such plans to anonymise NHS Test and Trace data that PHE plans to retain, a spokesperson continued, because that would render the entire purpose of contact-tracing ineffective.

“Contract tracing necessarily involves direct contact with individuals with COVID-19 and their close contacts in order to provide them with public health advice, such as advice on self-isolation,” they added. “Contact tracing is not possible with anonymised data.”

Trust is crucial to fighting COVID

The launch of NHS Test and Trace has been rocky, with many contact tracers reporting issues with the technology at the heart of the system; difficulties logging in, for example. The indefinite delay to the COVID-19 contact-tracing smartphone app – once touted to serve as the beating heart of the test, trace isolate programme – has also raised eyebrows.

The government has explained its absence by suggesting people would be more receptive, at first, to humans telling them to isolate, as opposed to a smartphone display. The app, however, was for all intents and purposes ready to go – despite the security and privacy concerns raised by many individuals and organisations during its development and trialling phase in the Isle of Wight.

From a privacy perspective, we’re in a bizarre situation where officials have conducted the DPIA for an app that’s been temporarily shelved, while not having finished the DPIA for the manual Test and Trace system that’s been set to live.

Last week, opinion polling revealed that public confidence in the government had fallen off a cliff, driven mostly by its response to Dominic Cummings potentially breaking lockdown rules, further damaging the public health messaging in the process. The timing couldn’t have been worse.

Individuals are now being asked to provide sensitive data to NHS Test and Trace, including medical information as well as contact information on friends and family. This data will be retained for up to 20 years on a basis many would deem flimsy, and won’t be anonymised throughout the period of its retention.

The Department of Health and Social Care insists that all data collection and storage is fully compliant with GDPR and the Data Protection Act 2018, but the fact that officials did not complete a DPIA into NHS Test and Trace won’t inspire any confidence.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.