Government admits that NHS Test and Trace programme is unlawful
Test and Trace collects huge amounts of personal data. The government has admitted now it hasn’t conducted proper privacy checks on the system
The government concession follows a threat of legal action from privacy and free speech organisation Open Rights Group (ORG). Two weeks ago it issued a legal letter to the Department of Health and Social Care calling for the publication of a Data Protection Impact Assessment (DPIA) for the whole of the Test and Trace system.
The government has now confirmed it failed to complete a risk assessment for how data was used when Test and Trace launched. What’s more, that risk assessment still hasn’t been completed – though it is being “finalised”.
“They have now admitted Test and Trace was deployed unlawfully,” says Ravi Naik, legal director data rights agency AWO, which is working on ORG’s behalf. “By failing to conduct the appropriate assessment, all the data that has been collected – and continues to be collected – is tainted.”
“It is a concern that it took the threat of legal proceedings to force this admission, rather than just doing the DPIA before deploying the system or at least when we first asked,” Naik adds.
A DPIA is effectively a risk assessment for the handling of personal information. They are legal requirements under the UK Data Protection Act and the European Union’s GDPR and are designed to consider how people’s data could be misused or be subject to abuse by those who collect it. This can include everything from the threat of hacking to a staff member accessing information they shouldn’t have. DPIAs should be completed before the collection of data begins.
In response to ORG’s threat of legal action the Government Legal Department, writing on behalf of Matt Hancock, the secretary of state for health, said it would have been “preferable” for the government to have created a DPIA for Test and Trace “prior to the commencement”.
“The primary focus of all of those involved in the Programme has been to ensure it functions effectively to save lives and protect public health,” the government’s legal team states. It adds that is has taken data protection seriously and published privacy notices about the data Test and Trace can collect. “The absence of a DPIA for every aspect of the programme cannot be and should not be equated with a failure to ensure that the protection of personal data has been an important part of the programme’s design and implementation.”
“It is completely wrong to claim that there are no DPIAs in place or that the NHS Test and Trace service is unlawful,” the Department of Health said in a statement following ORG’s publication of the government’s legal response. It says that “separate DPIAs” had been conducted for some parts of Test and Trace, with more being developed. “NHS Test and Trace is committed to the highest ethical and data governance standards and there is no evidence of data being used unlawfully,” a spokesperson said.
The Test and Trace system is complex and involves a number of private companies. These include Serco UK, SITEL Group and Amazon Web Services, who between them provide data storage and employ contact tracers. The government’s legal team added that “there should have been impact assessments in whatever form in place addressing all of those aspects”.
The amount of data Test and Trace collects is significant. The system works by asking those who have tested positive for coronavirus to reveal who they have been near to in recent weeks. These people are then contacted and asked to self-isolate in case they have contracted Covid-19 and may pass it on to their own contacts.
People who test positive are asked to hand over their date of birth, sex, NHS number, email, telephone and Covid-19 symptoms as well as the contact details of those they’ve been around. From May 28 to July 8, the latest statistics available, 1,956,198 people have been tested for Covid-19 and 34,990 positive cases have had their details passed to the contact tracing operation.
Once contacted by contact tracers an additional 185,401 people who could have been exposed to coronavirus by being around those who have tested positive were identified. Contact tracing teams have been able to get in touch with 84 per cent (155,889) of those people identified.
The result is a trove of information that can be crucial to fighting the spread of coronavirus but also one that carries risks. The purpose of a DPIA is to help mitigate these risks: those running the system are meant to think about what could go wrong and what they could do to stop it.
As Test and Trace is a voluntary scheme – this includes people handing over their contact details at pubs and restaurants – people need to trust their information is being protected. “That starts with being crystal clear about what happens to the data collected, how it will be used and kept safe, what oversight is place and how the rules will be enforced,” Natalie Banner, the head of Understanding Patient Data, an organisation that focuses on how health data is used, said previously. It also means being open about risks and how they will be managed.”
There have already been data protection issues with Test and Trace. The Times has reported some contact tracers have shared private patient information, such as NHS numbers, in WhatsApp and Facebook groups. Other reports have also claimed contact details are being used to harass women.
Jim Killock, executive director of the ORG, says the group threatened the government with legal action as it wasn’t clear whether enough had been done to properly evaluate the scheme. “We can only conclude that they do not understand the risks they are running and have failed to understand the importance of mitigating data protection risks,” Killock says. “It also speaks to the need for the Information Commissioner’s Office [ICO] to take regulatory action rather than acting as a ‘critical friend.’”
According to the government’s response to the ORG, the Department of Health has been involved in “detailed and rigorous constructive engagement” with the ICO, the UK’s data protection regulator. The regulator previously said it was working with the Department of Health on the DPIAs it had received.
Naik adds that once the final DPIA for Test and Trace is completed it should be published. The government’s legal letter did not say when it would be completed. “I would expect a full list of purposes, clarity of the involvement of third parties, justifications for the data processing and retention periods, clear mechanisms for individuals to assert their rights and mitigation steps for any risks,” Naik says. “The fact that these have not been considered to date is very concerning.”
By Matt Burgess
Updated July 20, 2020 17:15 BST: This story has been updated with additional comment from the Department of Health.
Matt Burgess is WIRED's deputy digital editor. He tweets from @mattburgess1