UK 'Test and Trace' contact tracing scheme in breach of GDPR

(Image credit: Shutterstock / bob boz)

The UK Government has admitted its troubled coronavirus contact tracing scheme was fast tracked to launch without undergoing an assessment necessary under GDPR, data privacy experts have warned.

Active since late May, NHS Test and Trace did not undergo a Data Protection Impact Assessment (DPIA), designed to establish whether a project poses a significant risk to data privacy.

The scheme was established in haste at the height of the pandemic to map the transmission of coronavirus between specific individuals and thereby inhibit further spread.

The 27,000 NHS Test and Trace staff (some of whom are third party contractors) are responsible for collecting patient data -  including names, gender, contact details and address - and contacting anyone who might have come into contact with the infected individual.

The data collected by the scheme may also be used as part of research activities, according to a statement published at launch. The “right to be forgotten” established under GDPR, which allows an individual to request their data be erased, is also limited under the rules of the program.

UK contact tracing

The decision to forgo the necessary privacy audits in the name of speed has been challenged by privacy champion the Open Rights Group (ORG), which has demanded a retrospective DPIA take place.

The Department of Health and Social Care (DHSC) has since delivered a response, published by the ORG, in which it concedes that privacy checks were circumvented due to the urgency of the situation and explains that a DPIA will soon be conducted.

“The serious risk to life and health posed by Covid-19 has obliged the government to take unprecedented, vital steps at high speed to limit the ability of the virus to be spread, to protect public health and the lives of the population, and to reduce the burden on the National Health Service,” reads the DHSC letter.

“Inevitably, the programme continues to evolve as the pandemic, the understanding of Covid-19 and other aspects of the government’s response develops. There is no dispute that the programme involves the processing of personal data on a large scale and in - for the United Kingdom - a novel way.”

The letter goes on to explain that the DHSC understands its obligation to process data handled by the scheme in accordance with the requirements of GDPR and that “data protection compliance must be built into every aspect of the programme”.

The department will also enlist the help of the Information Commissioner’s Office, to ensure the scheme operates within the bounds of the data protection regulation on an ongoing basis.

Via ZDNet

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.