Government's test-and-trace programme is illegal under GDPR

The government skipped essential data privacy impact assessments in its rush to get the system up and running

The Department of Health has admitted that England's test-and-trace programme has been operating in contravention of privacy legislation for months, resulting in a threat of legal action from campaigners.

The DoH has said that the government launched the test-and-trace programme - which aims to trace people who may have been exposed to members of the public infected with COVID-19 - without carrying out a data protection impact assessment (DPIA). The Open Rights Group (ORG) says that this means the initiative has been unlawful since it was launched in late May.

The government says there is no evidence of data being used unlawfully. Speaking on BCC Breakfast, Education Secretary Gavin Williamson said, "In no way has [there] been a breach of any of the data that has been stored."

He continued, "I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed.... Are you really advocating that we get rid of a test and trace system? I don't think you are."

Sensitive data shared in the test-and-trace system include names, dates of births, postcodes, housemates and recent movements. People are also required to share the names and contact details of people they have been in contact with.

The ORG has said it could go to court to force a DPIA, which is a requirement of the GDPR. A letter to the Group from the DoH confirmed that a DPIA had not been obtained.

A DPIA is, in effect, a risk assessment for the handling of personal information. It is a legal requirement under both the UK's own Data Protection Act and the European Union's GDPR.

Jim Killock, ORG's executive director, called the government "reckless." He added, "A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards."

The Information Commissioner's Office (ICO) is working with the government to ensure data is processed within the requirements of the law - but told the BBC, ‘people need to understand how their data will be safeguarded and how it will be used' if they are to trust the programme.

The ICO is already investigating test-and-trace after reports that some contact tracers had posted private information to social media.

A web of data

The scale of test-and-trace is daunting, involving multiple private companies including AWS, SITEL Group and Serco. These firms handle the data storage and employ contact tracers to track the people who have been passed on to the contact tracing operation.

More than 1.9 million people had been tested in the UK as of the 8th July (the latest statistics available), and 35,000 positive cases have had their details passed to test-and-trace. Tracing teams have contacted about 84 per cent of people identified as having been in contact with those infected - almost 156,000 individuals.

All of that means the test-and-trace programme has access to a vast amount of personal data, and safeguarding it is key.

Ravi Naik - a lawyer at the AWO data rights consultancy, which is working on ORG's behalf - said, "By failing to conduct the appropriate assessment, all the data that has been collected - and continues to be collected - is tainted."

He added, "It is a concern that it took the threat of legal proceedings to force this admission, rather than just doing the DPIA before deploying the system or at least when we first asked."

Jake Moore, a cybersecurity specialist at ESET, said, "In a pandemic, shortcuts are taken on regulations with the bigger picture in mind about the safety of people's lives. However, this has been detrimental to individual privacy, and has left the protection of our private data open to abuse - unfortunately, this could be precisely where criminals will strike.

We have seen bar staff make unwarranted contact with pub goers, which is just the start of unwanted contact and shows how it could be used in the wrong hands. Moreover, such disingenuous use of the track-and-trace programme could lead to people leaving false contact details behind, potentially causing the programme to fall over before it has had a chance to show how powerful it could be in reducing the spread of COVID-19."