NHS test and trace programme revealed to breach GDPR

The Department for Health and Social Care (DHSC) has admitted to failing to conduct a privacy risk assessment on the NHS test and trace scheme, which breaches GDPR rules.

The reveal from the government comes following campaigns from the Open Rights Group (ORG) that claimed unlawful practice on the part of the scheme since it launched on the 28th May.

The government department has written to the ORG to say that a Data Protection Impact Assessment (DPIA) is yet to be completed. However, the DHSC has insisted that there is no evidence that personal data has been utilised unlawfully.

“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,” said a DHSC spokesperson.

The department has also said that it is working alongside the Information Commissioner’s Office (ICO) to ensure correct data processing practices in accordance with the law, but the ORG’s executive director, Jim Killock, has condemned the government for ignoring the DPIA requirement enforced by GDPR.

Data protection and GDPR: what are my legal obligations as a business?

As the two-year anniversary of GDPR approaches, Guy Wilmot, partner in the Technology and Growth team at Russell-Cooke, explores the continued legal obligations for businesses. Read here

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards,” said Killock.

“The government bears responsibility for the public health consequences.”

Susan Hall, partner and ICT specialist at law firm Clarke Willmott LLP, has said that the Government’s statement declaring a lack of evidence for unlawful use of data “betrays a fundamental misunderstanding of the purpose of DPIAs”.

Hall continued: “As Recital 90 GDPR makes clear, DPIAs are intended to be carried out before any processing takes place, as a way of finding out where the risks of data leakage or misuse exist in the proposed scheme and pre-emptively blocking those risks, e.g. by enhanced technical or organisational security measures.

“It was clear from an early stage that test and trace programmes would be needed, so the DPIA should have been carried out then.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.