Getty Images / NurPhoto / Contributor
A crucial element of England’s coronavirus recovery effort has been operating for months without fully taking into account how people’s data could be abused, the government has admitted. A mandatory risk assessment for how data is handled has not been completed for the Test and Trace system, which went live on May 28.
The government concession follows a threat of legal action from privacy and free speech organisation Open Rights Group (ORG). Two weeks ago it issued a legal letter to the Department of Health and Social Care calling for the publication of a Data Protection Impact Assessment (DPIA) for the whole of the Test and Trace system.
The government has now confirmed it failed to complete a risk assessment for how data was used when Test and Trace launched. What’s more, that risk assessment still hasn’t been completed – though it is being “finalised”.
“They have now admitted Test and Trace was deployed unlawfully,” says Ravi Naik, legal director data rights agency AWO, which is working on ORG’s behalf. “By failing to conduct the appropriate assessment, all the data that has been collected – and continues to be collected – is tainted.”
“It is a concern that it took the threat of legal proceedings to force this admission, rather than just doing the DPIA before deploying the system or at least when we first asked,” Naik adds.
A DPIA is effectively a risk assessment for the handling of personal information. They are legal requirements under the UK Data Protection Act and the European Union’s GDPR and are designed to consider how people’s data could be misused or be subject to abuse by those who collect it. This can include everything from the threat of hacking to a staff member accessing information they shouldn’t have. DPIAs should be completed before the collection of data begins.
In response to ORG’s threat of legal action the Government Legal Department, writing on behalf of Matt Hancock, the secretary of state for health, said it would have been “preferable” for the government to have created a DPIA for Test and Trace “prior to the commencement”.
“The primary focus of all of those involved in the Programme has been to ensure it functions effectively to save lives and protect public health,” the government’s legal team states. It adds that is has taken data protection seriously and published privacy notices about the data Test and Trace can collect. “The absence of a DPIA for every aspect of the programme cannot be and should not be equated with a failure to ensure that the protection of personal data has been an important part of the programme’s design and implementation.”
The Test and Trace system is complex and involves a number of private companies. These include Serco UK, SITEL Group and Amazon Web Services, who between them provide data storage and employ contact tracers. The government’s legal team added that “there should have been impact assessments in whatever form in place addressing all of those aspects”.
The amount of data Test and Trace collects is significant. The system works by asking those who have tested positive for coronavirus to reveal who they have been near to in recent weeks. These people are then contacted and asked to self-isolate in case they have contracted Covid-19 and may pass it on to their own contacts.
People who test positive are asked to hand over their date of birth, sex, NHS number, email, telephone and Covid-19 symptoms as well as the contact details of those they’ve been around. From May 28 to July 8, the latest statistics available, 1,956,198 people have been tested for Covid-19 and 34,990 positive cases have had their details passed to the contact tracing operation.
Once contacted by contact tracers an additional 185,401 people who could have been exposed to coronavirus by being around those who have tested positive were identified. Contact tracing teams have been able to get in touch with 84 per cent (155,889) of those people identified.
The result is a trove of information that can be crucial to fighting the spread of coronavirus but also one that carries risks. The purpose of a DPIA is to help mitigate these risks: those running the system are meant to think about what could go wrong and what they could do to stop it.
As Test and Trace is a voluntary scheme – this includes people handing over their contact details at pubs and restaurants – people need to trust their information is being protected. “That starts with being crystal clear about what happens to the data collected, how it will be used and kept safe, what oversight is place and how the rules will be enforced,” Natalie Banner, the head of Understanding Patient Data, an organisation that focuses on how health data is used, said previously. It also means being open about risks and how they will be managed.”
There have already been data protection issues with Test and Trace. The Times has reported some contact tracers have shared private patient information, such as NHS numbers, in WhatsApp and Facebook groups. Other reports have also claimed contact details are being used to harass women.
Jim Killock, executive director of the ORG, says the group threatened the government with legal action as it wasn’t clear whether enough had been done to properly evaluate the scheme. “We can only conclude that they do not understand the risks they are running and have failed to understand the importance of mitigating data protection risks,” Killock says. “It also speaks to the need for the Information Commissioner’s Office [ICO] to take regulatory action rather than acting as a ‘critical friend.’”
According to the government’s response to the ORG, the Department of Health has been involved in “detailed and rigorous constructive engagement” with the ICO, the UK’s data protection regulator. The regulator previously said it was working with the Department of Health on the DPIAs it had received.
Naik adds that once the final DPIA for Test and Trace is completed it should be published. The government’s legal letter did not say when it would be completed. “I would expect a full list of purposes, clarity of the involvement of third parties, justifications for the data processing and retention periods, clear mechanisms for individuals to assert their rights and mitigation steps for any risks,” Naik says. “The fact that these have not been considered to date is very concerning.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
More great stories from WIRED
☢️ Nine years on, Fukushima’s mental health fallout lingers
🦆 Google got rich from your data. DuckDuckGo is fighting back
😷 Which face mask should you buy?The WIRED guide
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn
Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.
Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.