Protecting Privacy?: The Government admits breaking GDPR rules in the NHS “Test and Trace” programme

August 7, 2020


3 min read

Sign up to our mailing list! 👇

What's going on here?

Following a legal challenge from privacy campaigners, the Department of Health and Social Care (DHSC) admitted that the Government broke the law and launched the NHS “Test and Trace” programme without full assessment of the privacy implications.

What does this mean?

The admission given by the DHSC reveals that the Government overlooked the legal requirement to carry out a Data Protection Impact Assessment (DPIA) which is a requirement under General Data Protection Regulation (GDPR) laws.

GDPR requires DPIA’s to be carried out when there is “high risk” processing of personal data. It is a process designed to assess whether a proposed activity which involves collecting personal data is necessary and proportionate. The assessment helps to evaluate and mitigate the potential risks relating to individual rights and how their data is used, stored and distributed. This assessment is seen as a vital stage in an organisation showing compliance and demonstrating accountability under GDPR. 

Although the Government has argued that the Test and Trace programme does not qualify as being “high risk” and therefore not needed, they have said an overarching DIPA is being “finalised” and have assured that all data is being processed in accordance to the law. However, this new revelation has caused outrage amongst privacy campaigners and human rights groups who have been concerned about the Test and Trace programme since its launch in May. To find out more about some of the worries of the contact tracing app, click here.

What's the big picture effect?

This story demonstrates the difficult balancing act that the Government has faced; the need to tackle the most serious public health crisis quickly to avoid loss of life, whilst also upholding the protection of individual rights. Ultimately, the Government has prioritised speed which has undermined public trust and caused concern that potential risks have not been properly thought through. 

The Government’s neglect for complying with GDPR will no doubt be damaging for public relations. Jim Killock, executive director from the Open Rights Group, accused the Government of being “reckless” in undermining trust and the integrity of the programme. This news also comes as the Guardian’s Freedom of Information request revealed that the Test and Trace programme has experienced at least three data breaches involving email mishaps and unredacted information being shared in training videos, cementing their concerns and proving the importance of the DIPA.

So what are the wider implications of this development? If the Government does not take GDPR seriously and adhere to basic privacy safety guards, it is likely that there will be a rise in claims and more litigation work for lawyers. But more importantly, the Government’s actions could see fewer people participate in the Test and Trace programme due to a loss of confidence in how their data will be handled. This will be damaging for the UK, because for the contact tracing system to be most effective, 60-80% of the population must be actively involved. An ineffective system could see the road to recovery become much longer.

In order to build accountability and show transparency, new legislation is likely to be implemented which will ensure that the emergency powers under the Coronavirus Act 2020 does not go too far. It is possible we may see a New Bill or Independent body to oversee, review and govern the NHS programme.

Report written by Rebecca Lax

Share this now!

Check out our recent reports!