#Privacy: UK’s COVID-19 tracing app launched before DPIA completion

It has emerged that the UK’s Coronavirus Test and Trace programme failed to complete a data protection impact assessment (DPIA) prior to its launch. 

Rolled out on May 28, the NHS Test and Trace Service is said to help the UK return back to normal life after the pandemic by tracking down and isolating those who have been in contact with anybody who has tested positive for COVID-19

Those testing positive will be required to promptly share information about their recent contacts through the app to help alert others who may need to self-isolate. 

Subsequently, the app will see thousands of individuals hand over their personal data , including names, gender, dates of birth, home addresses, telephone numbers and email addresses. Under GDPR and the NHS Act 2006, the data can be held by government bodies for up to 20 years. 

However, just recently Public Health England confirmed to POLITICO that the app had gone live prior to completing the legally mandated DPIA. According to the Information Commissioner’s Office, a DPIA must be completed for the processing of data that is “likely to result in a high risk to individuals.” 

“Public Health England, supported by the NHS Business Services Authority, is preparing a data protection impact assessment for the NHS Test and Trace system,” Julia Thompson, a spokeswoman, said in a statement. It “expects to publish this shortly.”

Ravi Naik, data rights lawyer for the Open Rights Group (ORG) stressed to POLITICO that by failing to carry out the assessment, it raises concerns if the UK authorities have fully addressed all possible privacy implications. 

“If they have deployed the system without considering those risks, that is a problem and may further undermine efforts to get people to take part in the system,” said Naik. “Confidence and trust is key. Missteps like this will only lose public trust.”

Jim Killock, the ORG’s executive director said: “The government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control.”

Harriet Harman, chair of the Joints Committee on Human Rights (JCHR), concerned about the lack of regulation around data, has called for a new bill to be introduced to safeguard data privacy.

“It seems to us absolutely evident that the bill is needed,” Harman told the Guardian. “And instead of looking ahead to that fact, they’re going to wait until it’s urgent. Public opinion is very volatile about this sort of thing. One minute everyone can be seeing the absolute good sense, and the next they can have a lot of worries about it.”

Despite this, the Health Secretary Matt Hancock has argued that current data protection legislation is sufficient, and “will do the job.”

“I’d rather they just did the bill, because I don’t want to be turning around and saying ‘I told you so’ when there’s some sort of scare and confidence collapses and the important test-trace-isolate initiative hits a roadblock,” Harman added.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.