The Open Rights Group, which campaigns for digital rights, has filed a complaint with the Information Commissioner’s Office (ICO) alleging that the NHS Covid-19 programme does not comply with data protections.
The group has also written to the Health Secretary Matt Hancock and the CEOs of NHSX and Public Health England (PHE) to request answers about how individuals’ data will be protected.
The test and trace system is at the centre of the government’s plans to loosen lockdown and reopen the UK economy. It is inspired by the successful implementation of mass testing, contact tracing, and isolation in other countries such as South Korea and Taiwan. It aims to provide fast testing for people with Covid-19 symptoms, with positive results prompting that individual and any recent contacts to go into self-isolation until they are no longer likely to be infectious.
The programme will involve manual tracing – in which people are called by contact tracers and advised to go into self-isolation – complemented by a contact-tracing app, which will use Bluetooth to detect people nearby. It is not known when the app will be launched nationwide.
The Open Rights Group argues that the programme does not have sufficient safeguards for the intimate health data that will be collected, potentially from millions of people. Data included will include name, date of birth, sex, NHS number, contact details, and symptoms of the individual, as well as contact details of their contacts (who would not be able to consent meaningfully to having their information shared).
The ICO complaint argues that the NHS and PHE failed to carry out a data protection impact assessment (DPIA) before beginning to launch the scheme, initially with a limited trial of the contact-tracing app on the Isle of Wight. GDPR calls for DPIAs to be carried out prior to proceeding with high-risk data-processing programmes; the group argues that the test and trace scheme qualifies as such due to the sensitivity of the personal data collected, its national scale, and its experimental nature.
The group is also concerned about what will happen to these data, which will be held for 20 years. They argue that this “seems excessive and likely to put people off participation”.
NHSX CEO Matthew Gould has indicated that users of the NHS app for test and trace will not have the right to request that their data are deleted once uploaded to a central server due to technical complications. It also remains uncertain which third parties – such as different government bodies or private data analytics companies – will have access to these data.
“The ICO must act to enforce the law. The government is moving too fast, and breaking things as a result,” said Jim Killock, the group’s director. “If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the track and trace programme.”
MPs, privacy activists and some academics have urged the government to put in place specific privacy protections for the programme. Harriet Harman, chair of the Joint Committee on Human Rights, has submitted a draft bill to the government laying out individuals’ data privacy rights regarding contact tracing. The government has declined to take up the draft bill, with ministers given their personal assurances that data will not be misused.
The Open Rights Group is being represented by data rights lawyer Ravi Naik, who is recognised for leading the legal case against Cambridge Analytica, as well as representing clients in cases concerning the practices of Facebook and Google.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.