UK’s coronavirus test and trace fails GDPR requirement

By Robert Scammell

The Department of Health has conceded that it launched the UK’s coronavirus test and trace programme without submitting a data protection impact assessment (DPIA) – a requirement under the General Data Protection Regulation (GDPR).

The admission comes after privacy campaigners at the Open Rights Group (ORG) sent a legal letter to the Department of Health and Social Care asking it to publish its DPIA.

This means the test and trace scheme, which collects information including names, date of birth, location data and contact details of recent interactions, has been operating unlawfully since it began on 28 May. However, the government said this does not equate to the data being misused.

Education Secretary Gavin Williams told the BBC: “In no way has [there] been a breach of any of the data that has been stored.”

However, Darren Wray, CTO at data privacy firm Guardum believes the education secretary is missing two key points.

“It often takes time for organisations to realise that they have experienced a data breach and secondly breach protection is what many would consider to be the very lowest bar in data protection requirements,” he said.

“English data protection legislation raised the bar well above this over 20 years ago.”

DPIAs are designed to carry out a risk assessment for projects where personal data is collected and ensure that the proper safeguards can be put in place.

This can range from the threat of cyberattacks to the improper use of personal data. There have been some examples of the latter with the test and trace scheme, with reports of some pub owners using contact details to customers inappropriately.

Test and trace: Speed vs privacy

While the pandemic has created a need to act quickly, privacy experts warn that sacrificing privacy will reduce trust in the system, which in turn may hamper test and trace’s effectiveness at tracking the spread of Covid-19.

“In a pandemic, shortcuts are taken on regulations with the bigger picture in mind about the safety of people’s lives,” said Jake Moore, cybersecurity specialist at internet security firm ESET.

“However, this has been detrimental to individual privacy, and has left the protection of our private data open to abuse – unfortunately, this could be precisely where criminals will strike.”

So far the 27,000 staff conducting the test and trace programme have contacted more than 155,000 suspected of having the virus.

“The rushed deployment from the government may have been a decision taken in good faith, but if people can’t trust the system, the biggest loser will still be our health,” added Rich Vibert, CEO and co-founder at privacy firm Metomic.

The Department for Health said it is now finalising its DPIA and working closely with the Information Commissioner’s Office.

The UK’s contact-tracing app, originally billed as a key part of the test and trace programme, is yet to be rolled out despite initially being promised for a May launch.

Read more: Contact tracing apps: “It’s better to do it right than quick”

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,