UK government admits Test and Trace programme ‘breaks data protection law’

The government has admitted that England’s coronavirus (Covid-19) Test and Trace programme has broken a data protection law, according to a letter sent to privacy campaigners.

The Department of Health and Social Care (DHSC) acknowledged it had failed to carry out a risk assessment on how the system would affect privacy.

It follows the threat of legal action from the Open Rights Group (ORG), which claims that the programme to trace contacts of those infected with Covid-19 has been operating unlawfully since its launch on 28 May.

A spokesman for the DHSC said there is “no evidence” of data being used in an unlawful way.

Carrying out a Data Protection Impact Assessment (DPIA) – which helps to identify and mitigate risks relating to use of personal data – is a requirement under General Data Protection Regulation (GDPR) laws.

In response to a pre-action letter from privacy campaigning organisation ORG, the government confirmed that, while a DPIA is a legal requirement, it has not yet been completed.

The letter from DHSC, which is dated 15 July, said the legal requirement is being “finalised”.

Calling the government’s behaviour “reckless”, Jim Killock, executive director of ORG, said: “We have a ‘world beating’ unlawful Test and Trace programme.

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”

Ravi Naik, legal director of the data rights agency AWO, instructed to act on behalf of ORG, said that failing to carry out the “appropriate assessment” meant all data collected is “tainted”.

“These legal requirements are more than just a tick-box compliance exercise,” he said.

“They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”

ORG is just one group to raise privacy concerns over the scheme, with a former cabinet minister also previously warning of “serious errors” in its implementation.

Labour’s Lord Hain said last month that the NHS had failed to carry out its legal data protection obligations prior to the launch and had entered into data-sharing relationships “on unnecessarily favourable terms to large companies”.

A DHSC spokesman said: “There is no evidence of data being used unlawfully.

“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.

“We have rapidly created a large-scale test and trace system in response to this unprecedented pandemic.

“The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”