Written evidence from Open Rights Group (COV0240)




Test and Trace did not undergo mandatory privacy impact assessment, which endangers the right to privacy of those who participate to the scheme.

After a legal challenge by Open Rights Group, the Department of Health and Social Care has admitted their Test and Trace programme was deployed without carrying out a Data Protection Impact Assessment (DPIA)—which is mandatory under UK law.[i] Contact tracing involves the processing health data of a large amount of people, and its security cannot be taken lightly.

The DHSC claims that there is no “evidence of data being used unlawfully”.[ii] However, the press have already reported that contact tracing data are being posted on Facebook groups,[iii] and being used to sexually harass women, through the collection of data in bars and restaurants.[iv] UK citizens should not be forced to renounce to the confidentiality of their health details (or to be exposed to inappropriate behaviour) in order to participate in Government programmes.

Assessing the privacy implications of Test and Trace from the outset would have allowed DHSC to identify these threats on time, and put safeguards into place to protect the confidentiality and security of contact tracing data. Failure to undertake this assessment reflects badly on Test and Trace: as the Independent SAGE points out, it is important to “ensure appropriate governance and safeguards for privacy and data misuse, to ensure trust and engagement”.[v]

Finally, we find no evidence whatsoever that DPIAs would entail, as the Secretary of Health put it, being “held back by bureaucracy”. For instance, Italy,[vi] France[vii] and Germany[viii] produced thorough DPIAs for their Coronavirus Apps, which are now up and running. Meanwhile, the NHSX App is expected to be released this Autumn, following a u-turn dictated by concerns around “technical and ethical issues”.[ix]

Since the Coronavirus App, Government has consistently been failing on privacy.

The Joint Committee for Human Rights identified clear time limits, sufficient oversight, security and confidentiality as fundamental aspects to reduce the interference of contact tracing with fundamental rights, and in particular the right to privacy.[x] Unfortunately, Government reckless behaviour has fallen short of addressing any of such issues throughout the duration of the crisis. This resulted in:

Lack of clear time limits on the use of data.

Test and Trace originally planned to store contact tracing data for up to 20 years,[xi] in breach of any reasonable standard of necessity. Their actual plans in this regard are still unclear: on the one hand, the DHSC has conceded to Open Rights Group that they would have lowered this period to eight years. However, their privacy notice was not updated since then, and to this date still reads “information collected by NHS Test and Trace for people with COVID-19 symptoms is kept by Public Health England for 20 years”.[xii]

Lack of sufficient oversight on the use of such data.

An independent Ethics Advisory Board was set up to monitor the privacy implications of digital contact tracing; however, it was then “kept in the dark” and denied access to the information they needed to effectively advise the development of NHSX App.[xiii] Furthermore, the Information Commissioner’s Office has been steadily refusing to hold Government to account, as Open Rights Group has thoroughly documented in our submission to the DCMS Committee.[xiv] This state of affairs has not changed, as the ICO keeps defining itself as a “critical friend” despite DHSC admitting they have broken the law.

Insecure systems and lack of confidentiality.

On top of the issues already mentioned regarding Test and Trace data, NHSX produced an insufficient DPIA for their Contact Tracing App,[xv] failing to mitigate the risks regarding the processing of digital contact tracing data. Furthermore, residents who were testing the App in the Isle of Wight were exposed to serious security flaws[xvi]—in the words of the National Cyber Security Centre, deliberate “compromises were made in the name of timeliness”.[xvii]

Parliament needs to act.

The Joint Committee for Human Rights proposed a Bill to establish additional legal safeguards over the use of digital contact tracing data,[xviii] an initiative which Open Rights Group and other civil society organisations supported.[xix]

However, the Secretary of State dismissed JCHR concerns, saying out that “once data have been collected, we are bound to the strict obligations set out in the GDPR, the Human Rights Act, […] and the common law duty of confidentiality”.[xx] Contrary to these premises, however, the Secretary of Health now states that he “won’t be held back by bureaucracy”,[xxi] and the DHSC keeps claiming—against the opinion of their own lawyers—that  DPIAs are in place and the system is operating lawfully.[xxii]

While this attitude is hardly indicative of a shift of approach, the integrity of Government programmes such as Test and Trace cannot be risked. Therefore, we call for the Joint Committee for Human Rights to voice their concern, and avoid public health programmes being run at the expenses of fundamental rights.

Furthermore,  as noted above enforcement of data protection rights is the task of the Information Commissioner’s Office. If, as we have seen, serious irregularities are a pattern, the ICO should be taking regulatory action including information notices, assessment notices and enforcement notices. It appears this has not happened. The JCHR should ask why not.




