NEWS20 July 2020

UK government in DPIA oversight

Covid-19 GDPR News UK

UK – The UK government is working with the Information Commissioner’s Office (ICO) after it failed to carry out the necessary privacy assessment before the launch of its Covid-19 test and trace programme.

Contact tracing covid tracking_crop

Open Rights Group (ORG), which campaigns for privacy and free speech online, had previously accused the government of failing to carry out a proper data protection impact assessment (DPIA) before the test and trace system to contain Covid-19 was put in place.

The government has accepted it did not carry out a DPIA for test and trace. DPIAs are necessary under the General Data Protection Regulation for projects deemed high risk to personal privacy and data security, and are intended to identify and minimise the data protection risks of a project.

The ICO said that it was working with the government on the DPIA for the test and trace programme as a “critical friend” to provide guidance and advice, and to ensure people’s data is protected.

“We recognise the urgency in rolling out the test and trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated,” a spokesperson for the ICO said.

“People need to understand how their data will be safeguarded and how it will be used.”

Earlier this year, the government dropped plans to use an app based on a centralised database to complement the test and trace system. The use of a centralised database was criticised in some quarters over privacy concerns, and a decentralised version of the app is now being designed with Google and Apple.

A Department of Health and Social Care spokesperson said there was “no evidence” data was being used unlawfully by test and trace despite the issues over a DPIA.

“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,” the spokesperson said.

“We have rapidly created a large-scale test and trace system in response to this unprecedented pandemic. The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”