When the UK government’s Track and Trace programme was launched in May 2020, data protection was hardly its core focus. With a pandemic raging and no certainty around when a working vaccine would be available, slowing the spread of the novel Coronavirus was inherently the priority.
Unfortunately, in the hurry to roll out a functional contact tracing system and protect those at-risk from infection, a government solicitor conceded the Department for Health and Social Care failed to live up to expectations set out under Article 35 of GDPR. They added that while having a full Data Protection Impact Assessment (DPIA) in place was “preferrable”, NHS Track and Trace was developed at such a pace and scale that it was not at the forefront of their priorities. An essential tool in the fight against Covid-19, the Track and Trace programme was launched without undergoing a full DPIA, as explicitly required under GDPR.
What is a DPIA?
A DPIA should act as a checklist that identifies any potential areas in which you will need to implement additional processes to prevent a breach in the regulations. While the government has defended its system and said that it does not believe anything it’s doing with the data is unlawful, it is the very act of failing to undertake this self-audit to determine the data security of the programme that breaches the regulations.
Under the Data Protection Act of 2018, any establishment or institution intending to process ‘special category’ data which involves medical information is required to map out through a DPIA whether the processing of such data will be done safely and in line with legislation. The very purpose of this step is to confirm whether it is safe and lawful to proceed with the data processing, and if so, whether any further actions need to be taken to protect the sensitive information of the people whose data you are processing.
That being said, the government insists that it has taken the appropriate steps to safeguard the personal data of participants, and that the absence of a DPIA should not be interpreted as a failure to respect data protection principles – indeed, privacy notices published online are sufficient in assisting the public to understand how their personal data is being used, according to the government.
Track and Trace and privacy laws
Privacy rights should always be baked into any system or programme that intends to process the personal data of UK citizens. Indeed, Article 35 of the GDPR states that a DPIA must be carried out if the “processing of data is likely to result in a high risk to the rights and freedom of natural persons”.
This should not be an afterthought, but a critical first step that is taken prior to the processing of personally identifiable information. Of course, in these exceptional circumstances, it’s understandable that the programme was expedited as a matter of urgency in keeping the ‘R’ rate down and lifting the national lockdown the country was under at the time.
The development of Track and Trace would always be a complex situation – by nature, its success would depend upon people handing over their date of birth, NHS number, email, telephone, Covid-19 symptoms and the details of those who they’ve been around. It wouldn’t be solely the NHS handling the data either, but the various private companies brought on to help facilitate the development of the programme and processing of data. Acting with such urgency to tackle the serious health risk of the pandemic led the government to assess as they went along as opposed to assessing the programme for safety risks up front – a decision that many privacy campaigners argue was dangerous from the outset.
Test and trace App
Just like the contact tracing system that saw 15,000 call centre staff deployed to help track the contacts of those who tested positive for the Coronavirus, the NHS Test and Trace app was launched without a DPIA on the Isle of Wight on the 28th of May 2020. And, just the manual Track and Trace system, the app’s success would depend entirely on public support – something the government and the NHS would struggle to get if concerns regarding the unlawful use of personal data were to grow. At the time of launch, the main worry amongst the UK public was that their personal data would be sold to third parties such as US healthcare organisations or given to law enforcement organisations. Further, since September, the hospitality sector has been required by law to record the contact details of customers for the purpose of track and trace. To help in this effort, many pubs and restaurants have worked with external firms to collect data via QR codes, negating the need for paper logs. However, not long after guidelines around contact tracing in the hospitality industry were instated, a privacy crisis ensued after it was revealed the companies collecting track and trace data for pubs and restaurants were selling on data to marketers, credit companies and insurance brokers. One company in particular was found to have a clause in their contract that requires customers to accept its privacy policy despite it containing clauses that data can be shared with third parties including “service providers or regulatory bodies providing fraud prevention services or credit/background checks.”
Government guidelines specify that any data collected by companies in relation to Coronavirus should be held for 21 days before being disposed. Critically, the guidelines also prevent businesses from using personal data for any other purpose than NHS Test and Trace. However, by burying their terms in the small print, many firms have already worked their way around these rules to farm data out or even keep it for themselves for nefarious purposes. This is just one example of a gap that would likely have been identified through a thorough data protection impact assessment but was missed due to the urgency and pace at which the app was developed and rolled out to the public.
What are the legal implications?
Unfortunately, the lack of a full initial audit on the programme did have considerable implications; weeks after the launch of Track and Trace, it emerged that individuals employed as contact tracers had been sharing details of Covid-19 patients including names, numbers and contact details, via WhatsApp and Facebook in unregulated groups. Another major concern is that such a breach would undermine public trust, dissuading members of the public to provide their personal data for fear it would be shared unlawfully. Indeed, according to a recent study conducted in Switzerland, Germany and Austria, data protection and fear of surveillance have been cited as the main reasons that people have not downloaded Covid-19 tracing apps.
In theory, the largest sanction that the Information Commissioners Office can impose for a breach is a fine of £17m. In such circumstances, it’s highly unlikely that such sanctions would be imposed – in fact, in its legal correspondence, the ICO has confirmed it has received a DPIA for certain elements of Track and Trace, and that it is continuing to engage with the government to ensure risks are mitigated. A spokesperson for the IPO also stated that sharing a DPIA with the ICO was not always a requirement and that, in this particular case, the regulator had been working with government officials to provide guidance and advice in the development of the scheme:
“We recognise the urgency in rolling out the test and trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated. People need to understand how their data will be safeguarded and how it will be used.”