If the government doesn’t provide mandatory data protection privacy checks soon it faces being taken to court
Friday 3 July 2020 - Wired - https://www.wired.co.uk/article/nhs-test-and-trace-data-protection
The new legal letter says that a DPIA should have been conducted for the overall Test and Trace programme, not just certain parts of the setup. It says that the department should produce an assessment for the whole process and put in place any risks that are identified. “The data protection regime is not a compliance tick box exercise. It's about identifying the risks to fundamental human rights,” says Ravi Naik, a solicitor and director at AWO who is leading the complaint. “Through that process, you can understand and mitigate against risks that arise.”
Naik adds that the Test and Trace system initially planned to keep people’s data for 20 years but following questions sent to the DHSC it has backtracked on this policy and reduced how long data is kept to eight years. “Three weeks passed since our first letter, where we asked questions about the system. In response, they just changed the retention period from 20 years to eight,” Naik says. “There was no explanation.
More than 150,000 people have had their personal information handled by England’s Test and Trace scheme since it was hurriedly launched on May 28 – 36 days ago. However, the government has failed to conduct a risk assessment about how people’s details – including names, contact details and health status – are protected. And unless it provides these details by July 8 it will be taken to court.
Lawyers working on behalf of privacy and free speech organisation Open Rights Group (ORG) have issued health secretary Matt Hancock and the Department of Health and Social Care (DHSC) with a pre-action legal letter that says they have breached requirements of the Data Protection Act 2018 and GDPR by failing to properly conduct a Data Protection Impact Assessment (DPIA) for the whole Test and Trace system.
DPIAs are a form of risk assessment designed to make sure people’s data, privacy and human rights are protected – they’re also a mandatory legal requirement. They allow organisations processing people’s information to examine what is being done with that data, whether it needs to be collected, and what could go wrong. This can include the risks of data leaks, whether information can be abused and who has access to information.
Test and Trace has been criticised for failing to reach a quarter of people who tested positive for Covid-19, a lack of staff training as thousands of people were initially employed, and the collapse of the NHS-developed contact tracing app. Similarly to Test and Trace, no DPIA was available before the app’s trial on the Isle of Wight started.
“Just because there's a medical emergency doesn't mean that you just forget about basic data protection safeguards,” says Jim Killock, executive director at ORG. “What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public.”
“If people end up thinking these programs are untrustworthy, and that they shouldn't participate, you have a really serious public health problem,” Killock adds. “I think the government failing to do Data Protection Impact Assessments is reckless”.
The Test and Trace setup in England is complex: people’s sensitive personal details must be handed over and an array of private companies are involved. People are required to handover their date of birth, sex, NHS number, email, telephone and Covid-19 symptoms as well as the contact details of those they’ve been around. The NHS Business Services Authority is managing contracts that have been handed to NHS Professionals, Serco UK, SITEL Group and Amazon Web Services.
The Open Rights Group and its lawyers, AWO, have been asking for details of the DPIA since June 2 – days after Test and Trace was launched. They say they’ve faced delays in getting responses, the setup of Test and Trace seemed rushed, plus there has been a lack of clarity and transparency when responses have been received.
The legal complaint, which was sent to Hancock and other officials in DHSC and Public Health England on July 1, claims processing of people’s data is in breach of the Data Protection Act 2018 and GDPR’s Article 35. They say that there have only been privacy and data protection considerations made to “a few narrow parts” of the overall Test and Trace system and that they will file for a judicial review after July 8 if a full review isn't completed.
A spokesperson for the DHSC says it is unable to comment on ongoing or potential legal action against the department. Within the legal letter a private secretary at the DHSC is said to have emailed ORG saying: “there were DPIAs – and accompanying privacy notices – undertaken for both the testing and contract tracing advisory service (CTAS) aspects of the programme, which augment pre-existing assessments regarding public health tracing functions”.
In a later message they say the contract tracing advisory service (CTAS) is the website that thousands of people employed by Test and Trace use to enter the details of people identified by the service. Emails sent from the government department to OWA and ORG say they believe “a number of DPIAs instead of a single unified DPIA” would be appropriate under GDPR. On the day that Test and Trace launched Politico reported that a Test and Trace DPIA was being completed and that NHS England “expects to publish this shortly”.
The new legal letter says that a DPIA should have been conducted for the overall Test and Trace programme, not just certain parts of the setup. It says that the department should produce an assessment for the whole process and put in place any risks that are identified. “The data protection regime is not a compliance tick box exercise. It's about identifying the risks to fundamental human rights,” says Ravi Naik, a solicitor and director at AWO who is leading the complaint. “Through that process, you can understand and mitigate against risks that arise.”
Naik adds that the Test and Trace system initially planned to keep people’s data for 20 years but following questions sent to the DHSC it has backtracked on this policy and reduced how long data is kept to eight years. “Three weeks passed since our first letter, where we asked questions about the system. In response, they just changed the retention period from 20 years to eight,” Naik says. “There was no explanation.”
The UK’s data protection regulator, the Information Commissioner’s Office, says it is reviewing a DPIA for parts of the Test and Trace system and is looking at the risks. “The ICO recognises the urgency in rolling out the Test and Trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated,” a spokesperson says.
The ICO adds that it is “in contact with” people leading the Test and Trace system so it can “find out more about their processing, to understand the data protection implications of the test and trace programme and its ecosystem” and make sure laws are being followed.
However, it isn’t the first time that the government has been threatened with legal action for failing to publish documents during the pandemic. At the start of June, openDemocracy and legal group Foxglove were hours from suing the government for failing to release contracts between the NHS and Amazon, Microsoft, Google, Faculty AI and Palantir. Freedom of Information Act requests for the contracts were refused on the grounds of commercial confidentiality but following the threat of legal action, they were published.
“We want to give the government every chance to get this right,” Killock adds. “We're not trying to bring down the program here. We want them to simply sort the risks out.”
Matt Burgess is WIRED's deputy digital editor. He tweets from @mattburgess1