UK government faces legal action over NHS Test and Trace risk assessments
The DHSC have until 8 July to provide evidence that a data protection impact assessment has been performed
Health secretary Matt Hancock and the Department of Health and Social Care (DHSC) could face legal action over the alleged mishandling of data of over 150,000 people who have had their personal information collected by the coronavirus Test and Trace scheme.
According to lawyers working on behalf of the Open Rights Group (ORG), the government did not conduct a Data Protection Impact Assessment (DPIA) about how people’s personal data, such as names, dates of birth, sex, NHS numbers, are protected.
If true, this would be a violation of the requirements of the Data Protection Act 2018 and Article 35 of the General Data Protection Regulation (GDPR), which requires organisations to assess the risk associated with the collection and processing personal data ahead of time, particularly when it concerns medical or other data types defined as 'sensitive'.
Hancock and the DHSC have until 8 July to provide evidence of a conducted risk assessment. If not, the case might be taken to court.
Under normal circumstances, an organisation that fails to show evidence of an impact assessment upon request is likely to face harsh sanction from the Information Commissioner's Office, the UK's data regulator, as it would be considered willful negligence. However, it's unclear whether the ICO would take a similar approach with the government's effort to build an operational test and trace system, particularly given the overwhelming public interest to have such a system operational as quickly as possible.
However, ORG executive director Jim Killock argues that the current public crisis should not be used as a reason to relax data protection rules.
“Just because there's a medical emergency doesn't mean that you just forget about basic data protection safeguards,” Killock told Wired. “What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.”
Go digital to meet today’s critical compliance and security requirements
Digital transformation helps companies meet critical compliance and security requirements
Download nowThe Test and Trace scheme was launched on 28 May, aiming to help identify, contain and control the spread of the coronavirus. It works by contacting citizens who test positive for the coronavirus and asking them to share information about their recent interactions, from household members, to anyone who had been around them within two metres for more than 15 minutes.
Last month, ORG was preparing to legally challenge the UK government over its decision to retain personal health data for up to two decades.
According to The Guardian, it enlisted data rights lawyer Ravi Naik to draft an open letter addressed to home secretary Priti Patel and health secretary Matt Hancock over the privacy risks associated with the UK's track and trace programme.
