In the rush to halt the virus, has the Government broken the law?
According to the Information Commissioner’s Office (ICO) a Data Protection Impact Assessment (DPIA) is "a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR… It does not have to eradicate all risk, but should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve."
It has therefore come as a shock to many people to discover that the Government itself, in the guise of the Department of Health, failed in its legal obligation to carry out a DPIA when it rolled out its Coronavirus Test and Trace programme on 28th May. The admission came as a result of legal action by the information rights campaigners Open Rights Group (ORG), which asserts that the failure to undertake a DPIA renders the entire programme unlawful.
Trust, test and trace
The successful operation of the Test and Trace system involves people being asked to share sensitive personal information. This requires a huge amount of trust on the part of the public, making a DPIA even more important. For example, the personal details that subjects are obliged to submit include name and full address, details of cohabitants, places recently visited and names and addresses of recent contacts, including sexual partners.
The ORG Chief Executive, Jim Killock, described the Department of Health’s conduct as reckless and added: "A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards."
The ICO has confirmed that it has been working with the Government and providing guidance to ensure that the data collected is processed fairly but no action has been taken regarding the failure to undertake a DPIA. However, a spokesperson for the regulator told the BBC that although they recognised the urgency in rolling out the programme, in order for the public to have confidence in handing over their personal data and that of their contacts, "people need to understand how their data will be safeguarded and how it will be used."
A Department of Health spokesperson said that the Government was "taking full account of all relevant legal obligations." The lawyer acting on behalf of ORG however asserted that a DPIA was more than just a tick-box exercise, saying it would "ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices."
GDPR still applies - even during a pandemic
The Test and Trace programme has also fallen foul of GDPR in some other respects, including overlong retention periods and the sharing of personal data on public platforms.
One of UK Training’s senior GDPR expert presenters, Peter Blenkinsopp, sums up why the failure to carry out a DPIA is so important: “The official guidance published by the European Data Protection Board sets out nine clear criteria that mark data processing as high risk, meeting any one of these criteria makes a DPIA mandatory. It is arguable that the NHS Test and Trace system meets almost all of these criteria!”
Written by Paul Murphy