Test and Trace has not passed data protection impact assessment

Public Health England (PHE) did not complete a data protection impact assessment (DPIA) prior to launching the Covid-19 coronavirus Test and Trace programme on 28 May 2020, it has emerged.

According to Politico, which first reported the story, DPIAs, which set out the possible privacy implications around the collection and processing of personal data, must be completed and submitted for review ahead of the commencement of the data collection exercise.

A PHE spokesperson verified the accuracy of this report. “Public Health England, supported by the NHS Business Services Authority, is preparing a data protection impact assessment for the NHS Test and Trace system, and expects to publish this shortly,” it said.

Computer Weekly asked PHE why the DPIA had not been completed ahead of the programme’s launch, but PHE declined to respond to that question.

The Test and Trace programme, which launched on 28 May without the benefit of its accompanying contact-tracing app, is supposed to help the UK navigate the difficult return to normal life after the pandemic by tracking down and isolating the contacts of anybody who tests positive for Covid-19.

Recipients of positive test results will be required to share information on their recent contacts – members of their own household and others they have been in direct contact with or within two metres of for over 15 minutes, who must then self-isolate for a fortnight.

The data collected will include names, gender, dates of birth, home postcodes, telephone numbers and email addresses. As previously reported, it can be legally held for 20 years under GDPR and the NHS Act 2006.

According to the Information Commissioner’s Office (ICO), a DPIA must be completed for data processing that “is likely to result in a high risk to individuals”, although it highly recommends that DPIAs are done for any major project requiring the processing of personal data.

DPIAs in the UK must lay out the nature, scope, context and purpose of the processing; assess its necessity, proportionality and compliance; identify and assess risks to individuals; and identify measures to mitigate said risks.

To assess risks levels, data processors should consider both the likelihood and severity of the impact of a data breach on individuals. If a high risk is identified that cannot be mitigated, the ICO must be consulted before processing begins, in which case it will give written advice in eight to fourteen weeks for the most complex cases.

If appropriate, the ICO’s guidance also notes it may issue the processor with a formal warning not to process the data or ban it altogether.

Since the programme went live, anecdotal reports have emerged that people hired as contact tracers have been left unable to log in to their IT systems.

Labour MP Ben Bradshaw, having taken part in a briefing with the head of the programme – former TalkTalk boss Dido Harding – yesterday said Harding had told him the programme would not be fully operational until the end of June.

Bradshaw accused the government of launching the Test and Trace programme before it was ready in order to divert attention away from the Dominic Cummings scandal.