The Open Rights Group (ORG) has said that England’s COVID-19 Test and Trace programme is in breach of GDPR.
Test and Trace
The COVID-19 test and trace system requires people to share personal data such as their name and date of birth, their address, places they’ve recently visited and the personal details of those they have recently been in close contact with.
The ORG has alleged that England’s test and trace programme was deployed without the necessary Data Protection Impact Assessment (DPIA).
Seeking An Immediate DPIA
The ORG, therefore, threatened to take the government to court unless it agreed to immediately conduct a DPIA, alleging that England’s (under the UK Government) entire Test & Trace programme had been operating unlawfully and in breach of GDPR since its launch on 28 May 2020.
Jim Killock, Executive Director of Open Rights Group has said, for example, that “The reckless behaviour of this Government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health”, and that “we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken”.
The DPO says that The Department of Health and Social Care (DHSC) has admitted that Test and Trace was deployed without a DPIA and Ravi Naik, Legal Director of the new data rights agency AWO, acting on behalf of ORG said that “The Government has made two significant concessions to our clients. Firstly, when asked to justify retaining COVID-19 data for 20 years they couldn’t do so and agreed to reduce the period to 8 years” and that “Secondly, they have now admitted Test and Trace was deployed unlawfully. This is significant. It is a legal requirement to conduct an impact assessment before data processing takes place.”
The Government Says
Although Education Secretary Gavin Williamson said recently on BBC TV that there had not been any breach of the data stored and that a track and trace system needed to be set up quickly in order to help fight the virus, the Information Commissioner’s Office (ICO) is understood to be already investigating Track and Trace and is providing guidance to the government.
What Does This Mean For Your Business?
The effects of the virus and the lockdown on UK businesses has been profound and having an effective Test and Trace system working quickly and widely may be one of the tools that could help UK businesses and the economy recover more quickly. That said, just as businesses must operate within data protection laws, and face fines for not doing so, the government also has a responsibility to do so. As pointed out by ORG “A crucial element in the fight against the pandemic is mutual trust between the public and the Government, which is undermined by their operating the programme without basic privacy safeguards”.