The Government has admitted, following a legal challenge from a privacy campaigning organisation, that it deployed the COVID-19 'Test and Trace' programme without carrying out a Data Protection Impact Assessment (DPIA) beforehand.
Open Rights Group (ORG) had threatened to take the Government to court unless it agreed to immediately conduct a DPIA.
ORG claimed that the lack of a DPIA meant the Government’s Test & Trace programme had been operating unlawfully since its launch on 28 May 2020.
Jim Killock, Executive Director of Open Rights Group said: “The reckless behavior of this Government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health. We have a ‘world beating’ unlawful Test and Trace programme.
“A crucial element in the fight against the pandemic is mutual trust between the public and the Government, which is undermined by their operating the programme without basic privacy safeguards. The Government bears responsibility for the public health consequences.”
Killock added: “The Test and Trace Programme is central to easing the lockdown and getting the economy growing again. The ICO should have taken action but did not. We were forced to threaten judicial review to ensure that people’s privacy is protected.
“The ICO and Parliament must ensure that Test and Trace is operating safely and lawfully. As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken.”
Ravi Naik, Legal Director of the new data rights agency AWO, who was instructed to act on behalf of ORG said: “The Government has made two significant concessions to our clients. Firstly, when asked to justify retaining COVID-19 data for 20 years they couldn’t do so, and agreed to reduce the period to eight years.
“Secondly, they have now admitted Test and Trace was deployed unlawfully. This is significant. It is a legal requirement to conduct an impact assessment before data processing takes place. No impact assessment has been conducted for Test and Trace. By failing to conduct the appropriate assessment, all the data that has been collected – and continues to be collected – is tainted.”
Naik added: “These legal requirements are more than just a tick-box compliance exercise. They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”
ORG’s pre-action letter was sent by AWO on behalf of ORG to Matt Hancock, Secretary of State for Health and Social Care.
The Government’s response to the letter - sent by the Government Legal Department - admitted that a DPIA was and is required but added that it was “currently being finalised, drawing on the extensive data protection compliance work (including existing DPIAs on parts of the Programme) done on the substance of the Programme’s processing of personal data, including through detailed engagement with the Information Commissioner”.
It added that the DPIA would be the subject of reviews and updates as the programme evolved.
“Accordingly, a claim for judicial review would achieve nothing in addition to the existing position of the Defendant,” the reponse argued.
It said: “It will doubtless be appreciated that the creation, development and adjustment of the Programme has had to occur on an unparalleled scale with unparalleled urgency, to help to meet the most serious public health crisis in a century. The primary focus of all of those involved in the Programme has been to ensure it functions effectively to save lives and protect public health.
“The absence of a DPIA for every aspect of the Programme cannot be and should not be equated with a failure to ensure that the protection of personal data has been an important part of the Programme’s design and implementation. As noted above, critical aspects of the Programme have been the subject of compliance work, DPIAs and privacy notices (which reflect that compliance work) throughout.”
The Department also said where a person wished to allege a breach of Article 35 GDPR, that was a matter for which there was a clear adequate alternative remedy: a complaint to the United Kingdom’s supervisory authority, the Information Commissioner.
The involvement of the Administrative Court “would simply duplicate a regulatory process already in train,” it added.