ORG demands Government act to secure ‘Track and Trace’ data

NHS Test and Trace has been launched, in breach of data protection laws. 

Open Rights Group have instructed Ravi Naik of AWO to file a complaint with the ICO concerning the national roll-out of Test and Trace, as that system has been deployed in breach of the GDPR. ORG’s lawyers have also separately written to Matt Hancock, the Secretary of State for Health, the CEO of NHSX and the Chief Executive of Public Health England, asking for clarity around the Test and Trace system. 

The complaint to the ICO relates to the failure by the NHS and PHE to conduct a Data Protection Impact Assessment. The GDPR requires a DPIA before processing of data in high risk situations. Given the system is experimental and the sensitive nature and scale of the data being processed, a DPIA was required before processing commenced. PHE and the NHS confirmed that a DPIA has not been conducted, in breach of those GDPR requirements. 

The letter to the agencies in charge of Test and Trace highlights that:

  • There is no Data Protection Impact Assessment as required by law, leaving no confidence that risks are adequately mitigated
  • Security risks have already been identified that place people at risk
  • The 20 year data retention period seems excessive and likely to put people off participation; 
  • Commercial and research purposes are unclear as matters stand, making the retention period is even more problematic.
  • The privacy notice associated with Test and Trace is flawed. 

ORG have asked a number of questions to seek clarity around these concerns. ORG have asked for an urgent response to this letter, as the Test and Trace system is already deployed. 

Jim Killock Executive Director of Open Rights Group said:

“The ICO must act to enforce the law. The Government is moving too fast, and breaking things as a result. If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the Track and Trace programme. Public health objectives are being undermined by failures to get privacy and data protection basics in place.” 

Open Rights Group have instructed Ravi Naik, the Legal Director of the data rights agency AWO. Mr Naik said: 

“Rushing out Test and Trace without following basic legal requirements is troubling. These legal obligations are not simply a compliance point. They are designed to ensure that risks are identified and mitigated. Not conducting these assessments has caused our clients concern that those risks have not been properly thought through. Added to this is the lack of transparency around data sharing and relationships with third parties. We trust that the ICO will act accordingly to enforce the law and bring some transparency to the Test and Trace process.”



Jim Killock


The letters to Matt Hancock / NHS / PHE and the ICO are available on request.