Following the release of the Public Health England privacy notice stating that PII collected by the new NHS Test and Trace initiative will be kept for 20 years.
The NHS Test and Trace initiative has now been officially launched and with it we got more details of how the system will work, for example what data will be collected and how it will be used. Set up by Public Health England (PHE), it will be able to keep tested persons’ information – full name, date of birth, home postcode and house number, telephone number and email address – for 20 years and keep contacts of people who contracted the symptoms for 5 years. People do not have an “absolute right” to object to how their information is used or to ask for their information to be deleted.
The length of time the data is being stored for, and the lack of personal control on how the data is being used and kept are bound to cause privacy concerns. This might not be too much of a headache for the Government while manual tracking is the norm, it is hard for the public to “opt out” of that, but it will become more of an issue when NHSX’s contact tracing app is launched as this will rely on the public opting in for the project to work.
Concerns surrounding the usage of the data in the app and how long the data is stored could well affect the number of downloads of a full national roll-out. The Government is relying on a large public buy-in, so privacy concerns from the public could impact adoption and the level of success of the project. Moreover, any reservations around how long data is stored are legitimate – the longer sensitive data is held for, the more risk there is for the data to be accessed and exploited. To date, the greatest issue around privacy of the UK app is the decision to store the data centrally. If the Government could assure the public that the data is not being collected indefinitely and is being stored securely – it could encourage greater adoption and, more importantly, ensure the data is not misused in the future.
20 years to keep Personal Information would seem excessive and unnecessary. I appreciate that the information being collected and processed is being used to help prevent/reduce the instances of COVID-19, but do you really need to keep the person\’s full name, date of birth, home postcode and house number, telephone number and email address for 20 years to do that? I would certainly argue that after 5 years (for example) that the data should be de-personalised such as the name removed along with the house number, telephone number and email address. I would also reduce the date of birth to year of birth.
Obviously the GDPR says that data should only be kept as long as is required for the purpose, but it is unclear whether Public Health England will truly audit their data in this way having set an expectation for keeping it for 20 years.
Many organisations, including governments agencies, have a hoarder mentality, keeping as much personal data as possible and keeping it far beyond its useful life, which is evidenced by this privacy notice. In an ideal world, the data collected and processed should automatically anonymise after a certain period of time.
I wonder if PHE is going to have a separate privacy notice for the information collected by the NHS app if/when that finally goes into widespread use. The concern being that this automated data collection will be far more invasive, detailing not only the personal information listed in the current policy, but also details of everyone you met with, the location that you met them, how long you were with them, etc.
I can see the prospect of lots of people making Data Subject Access Requests against PHE in the future as they start to release just how much of their personal data was harvested in the name of COVID-19.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics