BB News reported that privacy campaigners say England’s coronavirus test and trace program has broken a key data protection law. The program was launched without carrying out an assessment of its impact on privacy as conceded by the Department of Health. It involves people being asked to share sensitive personal information. This can include:
- their name, date of birth and postcode
- who they live with
- places they recently visited
- names and contact details of people they have recently been in close contact with, including sexual partners.
We all understand the need for those setting up the track and trace capability to act quickly, but the ICO is, I believe, going to struggle to enforce aspects of the Data Protection Act 2018 given the example that has been set by the Government during 2020.
The revelation that a Data Privacy Impact Assessment was not performed as part of the track and trace project, shows exceedingly poor governance and control. In the private sector, organisations are expected to ensure that Data Privacy and Protection controls are a part of their business as usual processes, not something that is revisited in hindsight.
I respect the Education Secretary\’s position when he said that \”In no way has [there] been a breach of any of the data that has been stored,\” but there are two vital points, that Graham Williamson is perhaps missing, it often takes time for organisations to realise that they have experienced a data breach and secondly breach protection is what many would consider to be the very lowest bar in data protection requirements, English data protection legislation raised the bar well above this over 20 years ago.
In a pandemic, shortcuts are taken on regulations with the bigger picture in mind about the safety of people’s lives. However, this has been detrimental to individual privacy, and has left the protection of our private data open to abuse – unfortunately, this could be precisely where criminals will strike.
We have seen bar staff make unwarranted contact with pub-goers, which is just the start of unwanted contact and shows how it could be used in the wrong hands. Moreover, such disingenuous use of the track and trace program could lead to people leaving false contact details behind, potentially causing the programme to fall over before it has had a chance to show how powerful it could be in reducing the spread of COVID-19.
Given the urgency in rolling out the test and trace programme, it is clearly challenging to balance the importance of public data privacy with the need to track the epidemic accurately to keep people medically safe. This was always going to be difficult given the timeframe, but privacy and security still need to be front of mind when dealing with any personal data.
This is especially important with healthcare data, which is at particular risk of cyber-attacks and data breaches as information such as health records is very valuable to criminals. There, therefore, needs to be stringent security controls and processes in place to ensure that individual data is treated extremely sensitively and remains secure.
With apps such as these, uptake will be based on trust. The technical details aren\’t going to be understandable to most UK citizens, but the level of trust they have for their government will be based on the history of their government and all of its intelligence agencies, law enforcement bodies and partners. With several high-profile data breaches have taken place in the healthcare industry recently, the government is particularly under the spotlight with compliance efforts being more carefully scrutinised and recorded than ever before
In light of the circumstances, I would not cast any sinister light or raise any doubts on the currently unfinished DPIA assessment of the programme. This pandemic has brought us the challenges of unprecedented complexity, emergency, and scale making most of the common procedures and formalities unfeasible.
Unless there is clear and convincing evidence of any material non-compliances or misuse of the data, I’d refrain from criticizing the approach selected by the UK government to handle the programme urgently. Were they mechanically following all of the compliance formalities through the jungles of bureaucracy, they would likely have endangered many innocent lives by the delay and also inflicted incalculable financial damage upon the spiraling economy.
It is now important to rigorously follow DPIA procedures to retroactively confirm and duly validate the programme’s data protection and privacy in accordance with the enacted law. It is highly unlikely that under the circumstances anyone will have a viable claim for relief against the UK government.