Home » Topics » Data Protection & Privacy » NHS test and trace programme revealed to breach GDPR

NHS test and trace programme revealed to breach GDPR

Avatar photoby Aaron Hurst

The Department for Health and Social Care (DHSC) has admitted to failing to conduct a privacy risk assessment on the NHS test and trace scheme, which breaches GDPR rules.

The reveal from the government comes following campaigns from the Open Rights Group (ORG) that claimed unlawful practice on the part of the scheme since it launched on the 28th May.

The government department has written to the ORG to say that a Data Protection Impact Assessment (DPIA) is yet to be completed. However, the DHSC has insisted that there is no evidence that personal data has been utilised unlawfully.

“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,” said a DHSC spokesperson.

The department has also said that it is working alongside the Information Commissioner’s Office (ICO) to ensure correct data processing practices in accordance with the law, but the ORG’s executive director, Jim Killock, has condemned the government for ignoring the DPIA requirement enforced by GDPR.

Data protection and GDPR: what are my legal obligations as a business?

As the two-year anniversary of GDPR approaches, Guy Wilmot, partner in the Technology and Growth team at Russell-Cooke, explores the continued legal obligations for businesses. Read here

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards,” said Killock.

“The government bears responsibility for the public health consequences.”

Susan Hall, partner and ICT specialist at law firm Clarke Willmott LLP, has said that the Government’s statement declaring a lack of evidence for unlawful use of data “betrays a fundamental misunderstanding of the purpose of DPIAs”.

Hall continued: “As Recital 90 GDPR makes clear, DPIAs are intended to be carried out before any processing takes place, as a way of finding out where the risks of data leakage or misuse exist in the proposed scheme and pre-emptively blocking those risks, e.g. by enhanced technical or organisational security measures.

“It was clear from an early stage that test and trace programmes would be needed, so the DPIA should have been carried out then.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.

Related Topics

Covid-19
Data Protection
EU General Data Protection Regulation (GDPR)

Related Stories

Data Protection & Privacy

The future of private AI: open source vs closed source

As regulation of artificial intelligence evolves, the future of AI could be private in nature - here's how adoption of open and close source capabilities would compare

Blockchain

How fully homomorphic encryption can solve blockchain’s privacy problem

Jason Delabays explains how fully homomorphic encryption can help businesses innovating with blockchain ensure privacy long-term.

Data Protection & Privacy

Combining Qumulo integration with open source backup software

Software development automation platform Yuzuy has been looking to drive value from integration with Qumulo and customer partnerships

Data Protection & Privacy

Class action lawsuit filed against OpenAI over “stolen private information”

OpenAI, developer of ChatGPT, has been hit with a class action lawsuit alleging misappropriation of personal data scraped from the web