Test and Trace: We'll hold onto your data for eight years now - down from 20

Still feels like a lot? That's because it is.
Written by Daphne Leprince-Ringuet, Contributor

The UK's health authorities have agreed to slash the amount of time that personal information about people with coronavirus will be held, after the public body was challenged by a digital rights organization.  

Last month, in a privacy notice, Public Health England (PHE) announced that personal data accumulated from the Test and Trace program would be retained by the NHS for 20 years. The organization has now revised the policy and reduced the data retention time to eight years. 

The Test and Trace program, which is designed to identify all the people who have been in contact with a person who has been diagnosed with coronavirus, collects personal information such as names, sex, postcodes, email addresses and telephone numbers.

SEE: Hiring Kit: Market research analyst (TechRepublic Premium)

In the privacy notice published at the start of the program, PHE said that the data could be used for purposes not directly linked to patient health and care, such as research into COVID-19. 

While patients have the right to get copies of their information and to correct it, they only have "limited" rights to object to their personal data being used, or to ask for information to be deleted.

Yvonne Doyle, medical director at PHE, told ZDNet: "As COVID-19 is a new and emerging infection we initially planned to keep personal data for longer in case we needed to get back in touch with those who had tested positive with additional information. Following a review of this we will now be keeping personal data for eight years, though we will keep this under review."

The Open Rights Group's (ORG) executive director Jim Killock said that the privacy notice that was originally published by the health services immediately raised alarm bells, and not only because of the length of data retention. 

"When the notice was published, it was pretty poorly drafted, and our concerns were that they were rushing the program ahead and didn't think the privacy aspect through," Killock told ZDNet.

Reports later emerged that the new Test and Trace program did not complete the mandatory Data Protection Impact Assessment (DPIA) before it was launched. A DPIA is a process that helps an organization identify and minimize the data protection risks of a project. 

The Information Commissioner Office (ICO) recently stated that a DPIA is required for contact-tracing solutions prior to implementation, since the service can result in high risks to the rights of citizens. According to Politico, PHE said it was in the process of preparing a DPIA for Test and Trace, and expects to publish it "shortly". 

As a result, ORG commissioned digital rights lawyer Ravi Naik to clarify the government's initial plans. "The privacy notice made no reference to a DPIA," said Killock. "So, we wrote to the government to ask exactly what was going on, whether they had in fact done one, if they intended to do one, and why they had chosen such a long data retention period."

"This is pretty extraordinary," continued Killock. "Doing a DPIA is not just an academic exercise, it's about understanding the risks you're running. It's surprising they haven't done more to check they are using people's data safely."

Naik has since been in private correspondence with the government to ask for more transparency on the way that data will be handled as part of Test and Trace. Although PHE has conceded that the data retention time was too lengthy, and has now reduced it, Naik Tweeted that there is "still no sign of the DPIA".

SEE: Contact-tracing app: How did the UK go so badly wrong?

Killock said that although the new eight-year timeframe is encouraging, it is still not enough to provide reassurance that the government is setting up appropriate safeguards to protect personal data. 

To ensure that people are comfortable sharing their information with the program, health authorities have to make the process risk-free. According to Killock, this means performing the mandatory DPIA, and deleting the data as soon as it stops being useful.

"Eight years still feels like a lot," said Killock. "The key question is, will somebody who has fallen ill going to feel comfortable handing the data of their families and friends to this scheme? We hope the government will make some further moves, and we'll keep on putting pressure on them."

PHE has stated that all data collection is fully compliant with the GDPR and the Data Protection Act.

Editorial standards