Following a legal challenge brought by Open Rights Group (ORG), the UK Department of Health and Social Care (DHSC) has admitted that it has been running the Test and Trace program without a Data Protection Impact Assessment (DPIA). This is a requirement under the General Data Protection Regulation (GDPR) for projects that handle personal data.
Without such a legal safeguard, there is a risk of personal data protection breaches.
Ravi Naik, legal director of the new data rights agency AWO, who was instructed to act on behalf of ORG, said that the UK government has now "admitted Test and Trace was deployed unlawfully."
According to him, the initiative has been illegal ever since its launch on May 28."This is significant. It is a legal requirement to conduct an impact assessment before data processing takes place," he explained.
The UK government has not explicitly conceded that it has broken any privacy laws, but it has admitted operating without a DPIA. A spokesperson for the Department of Health and Social Care claimed the NHS program was committed to the "highest ethical and data governance standards."
They added that it was important to draw a distinction between the initiative itself being unlawful and the way it was processing NHS patients' data, which they say has been handled lawfully.
Prime Minister Boris Johnson's administration insisted that there was "no evidence of data being used unlawfully." The DHSC made its admission after ORG threatened to take the government to court unless it agreed to carry out a DPIA immediately.
Jim Killock, ORG's executive director, hit out at the government, branding its behavior "reckless" in ignoring the legally-required safety step, and thereby had "endangered public health."
Killock suggested that mutual trust between the government and the public – a critical element in any successful fight against the deadly disease – had been undermined by operating a program without basic privacy safeguards.
The DHSC spokesperson would not confirm whether a report in the Sunday Times – which found Test and Trace staff were sharing patients' confidential data on various social media platforms – was evidence of data being used unlawfully.
The NHS Test and Trace system requires people who have tested positive for coronavirus to self-isolate and share personal details – such as home addresses and phone numbers – of those with whom they have come into close contact. Contact must have taken place within a nine-day timeframe, starting 48 hours before symptoms first appeared.