Kzenon - stock.adobe.com

Police given access to self-isolation data

NHS Test and Trace self-isolation data will be made available to police after new guidance changes data-sharing rules

Police forces in England have the power to access the contact details of people instructed to self-isolate by NHS Test and Trace, causing alarm among senior health figures worried that the data-sharing arrangement could undermine public trust in an already controversial testing regime.

In updated guidance published on 16 October by the Department of Health and Social Care (DHSC), police forces in England – but not the rest of the UK – will now be able to request information relating to positive Covid-19 tests directly from the NHS Test and Trace programme “where they are investigating a report of someone who may not be complying with the mandatory self-isolation period”.

This information includes their name, the address at which they are self-isolating, their contact details, and information about when they were instructed to self-isolate.

As well as being available on request for police investigations, the data will also be accessible by local authorities for investigatory purposes.

According to the guidance, anyone who has been instructed to self-isolate by NHS Test and Trace will be contacted regularly to ensure they are complying with the order. However, if it receives no response after three attempts, the data will be passed on to the individual’s local authority for investigation.

“If there is evidence to suggest you are not complying with the duty to self-isolate without reasonable justification, your local authority may pass this information on to local police forces to investigate further,” said the guidance. “This may lead to enforcement action being taken against you, which could include you being fined.”

Currently, failure to comply with self-quarantining measures can lead to a minimum fine of £1,000 for a first offence, which can scale up to £10,000 for repeat offences and more serious breaches.

As first reported by the Health Service Journal (HSJ), the updated guidance was published after the DHSC and the National Police Chiefs Council signed a memorandum of understanding (MoU) governing how data was shared between them.

According to HSJ, the MoU follows an “incredibly forceful” intervention by health secretary Matt Hancock to clarify the data-sharing arrangements, which needed the MoU to create a statutory basis for the sharing.

HSJ said the chief medical officer’s office had significant reservations that giving police access to this data would discourage people from getting tested for the coronavirus, exacerbating the public health risk of Covid-19.

A spokesperson for the British Medical Association said the public needed confidence in the test-and-trace system for it to be effective.

“We are already concerned that some people are deterred from being tested because they are anxious about loss of income should they need to self-isolate – and we are worried should police involvement add to this,” said the spokesperson. “The government’s emphasis should be on providing support to people – financial and otherwise – if they need to self-isolate, so that no one is deterred from coming forward for a test.”

A DHSC spokesperson said: “It is a legal requirement for people who have tested positive for Covid-19 and their close contacts to self-isolate when formally notified to do so.

“The DHSC has agreed a memorandum of understanding with the National Police Chiefs Council to enable police forces to have access on a case-by-case basis to information that enables them to know if a specific individual has been notified to self-isolate. The memorandum of understanding ensures that information is shared with appropriate safeguards and in accordance with the law. No testing or health data is shared in this process.”

Read more about contact-tracing

According to the new guidance, the DHSC collects a wide range of personal data through the testing programme, including first and last names, date of birth, ethnicity, home and delivery addresses, landline and mobile numbers, national insurance numbers and employment details.

In response to the controversy around Test and Trace data being shared with police, the official Twitter account for the NHS Covid-19 app said: “Users are anonymous and the app cannot force them to self-isolate or identify them if they are not self-isolating. The app cannot be used to track your location, for law enforcement, or to monitor self-isolation and social distancing.”

Although the contact-tracing app forms a central part of NHS Test and Trace, the system and its data are operated independently of the wider service, and information from the app is not passed on to police.

Following the threat of a legal challenge from privacy campaigner the Open Rights Group in June, the government was forced to admit that the UK’s entire Test and Trace programme had been operating unlawfully since its inception, because the DHSC failed in its legal obligation to complete a mandatory data protection impact assessment (DPIA).

Although a DPIA has since been completed for the Covid-19 app, which said “no linkage of data between the data sources [held by Test and Trace] is possible,” the government is yet to publish a further DPIA for the NHS Test and Trace system as a whole.

Legally, the DPIA for the app will need to be updated if new functionality is added that alters how data is collected, stored or used, but IT experts have expressed concern about data privacy in future iterations of the app.

The Chartered Institute for IT noted that a planned development to the app by software firm Zühlke, which will score users’ lifestyles for Covid-19 risk, is “alarming” and needs clarity.

“These sorts of algorithmic scoring approaches are often inaccurate and can have unintended side effects… Some data is being stored un-encrypted locally,” said Adam Leon Smith, who chairs the BCS’s software testing group.

“This isn’t of great concern as it appears to be just system configuration data, with the sensitive data being stored by Google and Apple. However, as the functionality is expanded to include things like personal risk scores, this needs to be encrypted, and I am keen to see this isn’t passed to the developer’s servers to establish a centralised tracking system by the backdoor.”

Read more on Smartphone technology

CIO
Security
Networking
Data Center
Data Management
Close