England’s NHS Test and Trace programme found to violate GDPR


The UK government has conceded that England's NHS Test and Trace programme violates GDPR data privacy law. The programme, which was poised to be a major player in the UK's response to the pandemic, has been found to be operating unlawfully since launching on 28 May.

The news emerged following threats of legal action from the Open Rights Group (ORG), a UK-based organisation that works to preserve digital rights. The group found that the programme had evaded a data protection impact assessment (DPIA) prior to launching, which is explicitly required by the GDPR.

Without conducting the DPIA prior to the commencement of the programme, the government cannot be sure what risks they are running. As ORG puts it, “the Government, and the entire UK public along with them, are walking into this project blind.”

ORG threatened to go to court to pressure the government into conducting the assessment and publishing the results. This led to the Department of Health and Social Care's acknowledgement that the DPIA, which was indeed a legal requirement, had not been completed.

Following the government's concession, Jim Killock, Executive Director of Open Rights Group said “The reckless behaviour of this Government in ignoring a vital and legally required safety… has endangered public health.”

Ravi Naik, Legal Director of the new data rights agency AWO, who acted on behalf of ORG, reminded that “These legal requirements are more than just a tick-box compliance exercise. They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”

The news is yet another blow to the supposedly ‘world beating' programme, as per Boris Johnson's pledge. Other criticisms include The Times' report that some contact tracers shared screenshots of patients' data in WhatsApp and Facebook groups, another major privacy violation.

The Test and Trace programme could have been an extremely powerful asset to England's coronavirus recovery effort, but it has been riddled with problems since its advent. England was also over two months into lockdown before the app was launched, meaning a large window of time was lost before it was readily available.

Worse still, the programme is not the only data failure in the country's pandemic response. Public Health England has had to suspend publication of daily fatalities after concluding statistical flaws – a realisation that only occurred months into the pandemic.