The NHS Test and Trace Programme leaves no doubt that it involves the processing of personal data on a large scale. The service was established to form a central part of the government’s coronavirus recovery strategy was formally launched on the 28th of May 2020. The aim of this service is to help identify, contain and control COVID-19, reducing the spread of the virus and saving lives.
An initial DPIA was deemed unnecessary
Due to the urgency attached to the programme a decision was made to forgo the necessary privacy audits. The Open Rights Group (ORG), a privacy champion, has openly challenged this decision and demanded a retrospective Data Protection Impact Assessment (DPIA) take place.
There is 27,000 NHS Test and Trace staff (some of whom are third-party contractors) responsible for the collection of patient data that contains names, gender, contact details address — and the contact details of anyone who might have come into contact with the infected individual. A DPIA is obligatory prior to the “high risk” processing of personal data. Previously the UK government had argued that the Test and Trace programmes, did not qualify as high risk, the threat from ORG was made to take them to court.
Since the demand by ORG, the Department of Health and Social Care (DHSC) has delivered a response in which they concede to the fact that due to the urgent nature of the programme, privacy checks were bypassed. The DHSC explained that a DPIA would soon be conducted and the obligation it has to ensure data protection compliance must be built into every aspect of the programme.
The ICO intervened
The help of the Information Commissioner’s Office (ICO) has been enlisted to ensure the scheme operates within the bounds of the data protection regulation on an ongoing basis. A vital part of the fight against the pandemic is mutual trust between the public and the government. The way the Test and Trace programmes were launched threatened and undermined that needed trust. The ICO has since published simple steps to be followed by businesses asked to record and maintain personal data of customers, staff and visitors in support of the test and trace scheme. Since then the DHSC has recently published a DPIA on the Test and Trace.
Will the Test and Trace programme uphold all individual rights?
It’s difficult to answer this question. However, it should be noted that the ORG began investigating the Test and Trace programme shortly after The Times reported that patient data was posted to groups on Facebook and Whatsapp. Other privacy issues could be revealed as time goes on, but the newly mandated DPIA measures should help with maintaining privacy protection.
Test and Trace has shown the importance of the DPIA
COVID-19 has changed our lives in many ways that include our privacy. As the Test and Trace programme has raised many privacy issues it has also shown the importance of conducting a DPIA for handling and processing of individuals’ data.
Since the COVID-19 outbreak, the privacy landscape may have changed how your organisation is now processing personal data. As many have moved to a Working From Home (WFH) environment this might have altered how data is being processed. If you already haven’t, you should consider updating DPIAs to address any changes.
If you have any questions on when or how to conduct a DPIA, please feel free to contact one of our experts.