Covid results emails may breach GDPR

Messages from the Department of Health and Social Care contain personally identifiable information, warns Kuan Hon

Free, rapid lateral flow tests for coronavirus are now available in England, but the government notifications confirming the results appear to contravene several articles of the GDPR.

All results from the new tests, even if negative, should be reported; but Dr Kuan Hon, director at Fieldfisher, writes that confirmatory emails from the Gov.UK Notify service contain personally identifiable information (PII), and are likely to have issues with GDPR compliance.

As well as general coronavirus advice like the importance of social distancing, each Notify email contains the user's name, date of birth and NHS number. As Kuan says, "Full marks for promptness, but - for security/privacy...?"

Email is, at its heart, an insecure medium, too easy to hack or intercept - or even read over someone's shoulder. The personal details are included to prove that an email is from official government channels, which was common in the analogue (i.e. paper-based) past; but in a world of digital identity theft, such practices must be reviewed. And as Kuan points out, the email itself is pointless:

"I'm OK with the UK DHSC requesting my DoB and NHS number (as long as they store it securely and share it securely and only on a need to know basis). But, I already know my own DoB and NHS no., wouldja believe it, and, with this type of home test kit, I do actually already know my result! There's absolutely no need to email any of that info to me."

The Notify emails breach at least four articles of the GDPR:

• Article 5 (1)(f), stating that PII 'must be processed in a manner that ensures appropriate security of the personal data'
  • The related Article 32, regarding security of processing
• Article 5 (1)(c), stating that PII shall be 'adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation')'
• Article 25, covering data protection by design and by default
• Article 35 on data protection impact assessments (DPIAs)

While the layperson may not be put off, data-conscious individuals might think twice about reporting their test results (which is not, currently, a legal requirement), to lower the risk of data and identity theft - with knock-on effects on NHS data collection and virus tracking.

A Department of Health and Social Care spokesperson said:

"NHS Test and Trace takes the handling and storing of all personal data very seriously and we have processes in place to manage people's data safely.

"Emails provide individuals with a record of their test results, and it is important any message confirming a test result can be uniquely identified to the individual, for instance in hospitals when individuals undergo elective surgery, or care homes on behalf of their residents."

The spokesperson added that it is optional, not mandatory, for an individual to submit their NHS number when registering a test, and that NHS Test and Trace takes "every precaution" to ensure it is GDPR compliant.