UK gov admits Track and Trace scheme 'breaches GDPR’

Health Secretary Matt Hancock smiling while walking
(Image credit: Shutterstock)

The UK government has conceded that its flagship contact tracing programme has been operating unlawfully since its 28 May launch, as concerns mount that data breaches may have already been committed.

NHS Track and Trace, spearheaded by the Department for Health and Social Care (DHSC), was not subject to a full data protection impact assessment (DPIA), as explicitly required under GDPR, before it was launched.

Writing to campaigners in a legal capacity, a government solicitor conceded the DHSC failed to live up to expectations set out under Article 35 of GDPR. They added that while having a full DPIA in place was “preferrable”, NHS Track and Trace was developed at such pace and scale that it wasn’t anywhere close to a primary focus.

The admission was made only after the Open Rights Group (ORG) threatened to take legal action against the government in light of concerns raised when the contact tracing programme was initially launched

Public Health England (PHE), which oversees the scheme, conceded in May that no DPIA had been conducted prior to launch, with a spokesperson telling IT Pro at the time that it would soon complete a full DPIA and “expects to publish this shortly”.

Undermining public trust

Several weeks later, the continued absence of a DPIA has sounded fresh alarms considering the possibility that data breaches are already being committed. Individuals employed as contact tracers, for example, have allegedly shared the details of COVID-19 patients, including names, NHS numbers and contact details, on WhatsApp and Facebook in unregulated groups, according to the Times.

Despite these concerns, the government insists it’s taken appropriate steps to ensure participants’ personal data is being safeguarded, and that the absence of a DPIA shouldn’t be interpreted as a failure on its part to respect data protection principles.

“The reckless behaviour of this government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health. We have a ‘world-beating’ unlawful Test and Trace programme,” said executive director of the ORG Jim Killock.


Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better


“A crucial element in the fight against the pandemic is mutual trust between the public and the Government, which is undermined by their operating the programme without basic privacy safeguards. The Government bears responsibility for the public health consequences.”

While the status of an NHS Test and Trace DPIA remains “under review”, the government has cited its privacy notices published online as being sufficient to assist the public in understanding how their personal data is processed. These documents, however, have been subject to several major alterations in response to criticism voiced by privacy campaigners.

Initially, for example, the terminology used was Americanised, namely the repeated use of ‘personally identifiable information (PII)’, a term not recognised by GDPR. The government had also initially set out that data obtained through NHS Track and Trace would be retained for 20 years. After pressure from privacy campaigners, this was reduced to eight years.

An absent regulator?

In its legal correspondence, the government said it had been involved in “detailed and rigorous constructive engagement” with the Information Commissioner’s Office (ICO) about the programme’s processing of personal data.

Part of this engagement involves sharing aspects of documentation that will eventually feed into a completed DPIA, which the government insists “is in the process of being finalised”. The ICO has confirmed it has received a DPIA for parts of NHS Track and Trace, and that it’s continuing to engage to understand the system and ensure risks are mitigated.

“The ICO and Parliament must ensure that Test and Trace is operating safely and lawfully. As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken.”

“There is not always a requirement for that DPIA to be shared with us,” an ICO spokesperson told IT Pro. “In this case, we have been working with government as a critical friend to provide guidance and advice for some elements of the scheme and to seek assurances that people’s personal data is protected.

“We recognise the urgency in rolling out the test and trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated. People need to understand how their data will be safeguarded and how it will be used.”

The ORG, however, has slammed this approach, suggesting that it’s time the ICO ended its “critical friend” policy and took meaningful action, given this entire episode is undermining public confidence. None of this information would have come to light, moreover, would it not have been for the threat of a judicial review.

“The Test and Trace Programme is central to easing the lockdown and getting the economy growing again,” Killock continued. “The ICO should have taken action but did not. We were forced to threaten Judicial Review to ensure that people’s privacy is protected.

The ICO has faced intense criticism recently for failing to take action in several against clear examples of data protection law, especially, for example, against data breaches committed in the AdTech industry.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.