The government has conceded that it launched an England-wide Test and Trace program without completing the expected privacy checks.
The scheme has been running since the end of May without a Data Protection Impact Assessment (DPIA), which is a process required by GDPR for any project that poses a high risk to the personal data of the people involved.
A DPIA is designed to identify and minimize the data protection risks of a project. But when the Test and Trace program started, reports soon emerged that the assessment had not been duly carried out by the government.
SEE: IoT: Major threats and security tips for devices (free PDF)
The public health scheme identifies all the people who have been in contact with a person who has been diagnosed with coronavirus, and collects personal information such as names, sex, postcodes, email addresses and telephone numbers.
In a privacy notice published at the start of the program, health authorities also said that the information gathered could be used for alternative purposes, such as research into COVID-19, and that patients had "limited" rights to ask for data to be deleted.
Since Test and Trace launched, privacy campaigner the Open Rights Group (ORG) has been in correspondence with the government, via data rights lawyer Ravi Naik, to ask that a DPIA be carried out for the program. Two weeks ago, the organization threatened to take legal action if the request continued to remain unanswered.
In a letter to the ORG, the Department of Health and Social Care (DHSC) has now admitted that while a DPIA was required, the scheme effectively launched in May without a privacy assessment in place. According to the DHSC, a DPIA is "currently being finalised".
The program's 27,000 staff have now already contacted more than 155,000 people who may have been infected with the virus.
Failure to carry out the necessary checks was due to the speed at which the program had to be launched, said the DHSC in the letter. To reduce the burden on the NHS, and to lift lockdown restrictions as soon as possible, Test and Trace had to start at unprecedented speed and scale.
The DHSC maintained that despite the lack of a DPIA, there had been no misuse of patient data.
"There is no evidence of data being used unlawfully," said a spokesperson for the DHSC. "NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations."
Jim Killock, the director of ORG, told ZDNet that the unlawful use of data was a separate issue from the unlawful launch of a nationwide program.
"We didn't say that we have shown there has been unlawful processing of data," said Killock. "We said the government doesn't know if processing is or isn't lawful, because they failed to operate the program lawfully from the start."
Whether the data is being processed in accordance with GDPR regulations is therefore yet to be clarified, according to Killock, who nevertheless pointed to other potential risks.
For example, the DHSC admitted that scaling the Test and Trace program had required hiring third-party organizations to supply additional contractors on an urgent timescale, which the ORG stressed needed thorough oversight.
Individual contractors have been reported to share data on social-media platforms, with details about infected patients appearing on Facebook and WhatsApp. The Information Commissioner's Office (ICO) said that it was looking into the problem.
"You have tens of thousands of people's data moving through this system, about people who have been infected or are at risk of infection," said Killock. "That's very sensitive data, and it's open to abuse and scams, because it is valuable to criminals. There is a lot of risk, so you need to get it right."
SEE: The NHSX's contact-tracing app might have actually worked
There isn't much more that the ORG can do, now that the organization has driven the government to admit that Test and Trace had started without appropriate privacy checks. Killock is insistent that it is now up to the ICO to hold health authorities accountable.
An ICO spokesperson said that the organization has been working with the government as "a critical friend" in this case, providing guidance and advice for some elements of the scheme, while maintaining that there is not always a requirement for a DPIA to be shared with the regulator.
"We recognize the urgency in rolling out the Test and Trace service during a health emergency," said the ICO spokesperson, "but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated."
Killock, for his part, called for the ICO to end its "critical friend" stance, and argued that this position seemed to have come at the cost of effective regulation. "If the ICO doesn't provide consequences to the government's actions, the government won't change," he said. From now on, it's all eyes on the regulator.