“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards. The government bears responsibility for the public health consequences.”A DPIA is required before carrying out any “high risk” processing of personal data. The government had previously argued that the test-and-trace programmes, which involves carrying detailed personal information from patients across the country, did not qualify as high risk, until the ORG threatened to take it to court over the claim.
“These legal requirements are more than just a tick-box compliance exercise,” said Ravi Naik, the legal director of the data rights agency AWO, which took the action on behalf of the ORG. “They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.” A DHSC spokesperson told the Guardian that the department had “undertaken a number of separate DPIAs covering the constituent parts of the NHS Test and Trace service” and that an “overarching DPIA” was “in development”.
“An entire industry has been successfully set up at speed to tackle the most serious public health crisis we have faced in a century,” the spokesperson added. Our priority has been to save lives and protect public health and we will not apologise for doing so. NHS Test and Trace is committed to the highest ethical and data governance standards and there is no evidence of data being used unlawfully.”According to a freedom of information request filed by the Guardian, the test-and-trace programme has already experienced three data breaches involving personal data. In two, Serco, a private company contracted to run the programme, was looking to recruit contact tracers and accidentally sent out group emails using the “cc” function, exposing the contact details of its subcontractors. One of these was reported to the Information Commissioner’s Office, but the second was judged a “minor breach” and left unreported.
In a third, Ventrica, another private company, failed to properly redact the name and number of a contact of someone with a positive Covid-19 test result from a training video. This too was unreported.
In June, the Department of Health and Social Care made another concession to avoid a legal challenge, reducing the period of time it would keep personal data from 20 years to eight. But the privacy notice for the programme still claims it is necessary to keep personal data of people with symptoms for two decades, since “Covid-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments”.
In an effort to prevent the government making up the rules as it goes along, senior politicians have called on ministers to introduce legislation governing what the test-and-trace programme can and cannot focus on.
“It seems to us absolutely evident that the bill is needed,” Harriet Harman, the chair of the influential joint committee on human rights, said in June. “And instead of looking ahead to that fact, they’re going to wait until it’s urgent. Public opinion is very volatile about this sort of thing. One minute everyone can be seeing the absolute good sense, and the next they can have a lot of worries about it.”
Individual privacy and the risks that can come from the disclosure of personal health information — like stigma — are still critical concerns for public health officials, Lee stresses.But the actions public health officials can take, like collecting information, aren’t designed to limit privacy, Fairchild says.