Test and Trace briefing for JCHR

Our take on Government failing to tun Test and Trace in compliance with the law.

Find our official submission here.



Test and Trace did not undergo mandatory privacy impact assessment, which endangers the right to privacy of those who participate to the scheme.

After a legal challenge by Open Rights Group, the Department of Health and Social Care has admitted their Test and Trace programme was deployed without carrying out a Data Protection Impact Assessment (DPIA)—which is mandatory under UK law.i Contact tracing involves the processing health data of a large amount of people, and its security cannot be taken lightly.

The DHSC claims that there is no “evidence of data being used unlawfully”.ii However, the press have already reported that contact tracing data are being posted on Facebook groups,iii and being used to sexually harass women, through the collection of data in bars and restaurants.iv UK citizens should not be forced to renounce to the confidentiality of their health details (or to be exposed to inappropriate behaviour) in order to participate in Government programmes.

Assessing the privacy implications of Test and Trace from the outset would have allowed DHSC to identify these threats on time, and put safeguards into place to protect the confidentiality and security of contact tracing data. Failure to undertake this assessment reflects badly on Test and Trace: as the Independent SAGE points out, it is important to “ensure appropriate governance and safeguards for privacy and data misuse, to ensure trust and engagement”.v

Finally, we find no evidence whatsoever that DPIAs would entail, as the Secretary of Health put it, being “held back by bureaucracy”. For instance, Italy,vi Francevii and Germanyviii produced thorough DPIAs for their Coronavirus Apps, which are now up and running. Meanwhile, the NHSX App is expected to be released this Autumn, following a u-turn dictated by concerns around “technical and ethical issues”.ix

Since the Coronavirus App, Government has consistently been failing on privacy.

The Joint Committee for Human Rights identified clear time limits, sufficient oversight, security and confidentiality as fundamental aspects to reduce the interference of contact tracing with fundamental rights, and in particular the right to privacy.x Unfortunately, Government reckless behaviour has fallen short of addressing any of such issues throughout the duration of the crisis. This resulted in:

Lack of clear time limits on the use of data.

Test and Trace originally planned to store contact tracing data for up to 20 years,xi in breach of any reasonable standard of necessity. Their actual plans in this regard are still unclear: on the one hand, the DHSC has conceded to Open Rights Group that they would have lowered this period to eight years. However, their privacy notice was not updated since then, and to this date still reads “information collected by NHS Test and Trace for people with COVID-19 symptoms is kept by Public Health England for 20 years”.xii

Lack of sufficient oversight on the use of such data.

An independent Ethics Advisory Board was set up to monitor the privacy implications of digital contact tracing; however, it was then “kept in the dark” and denied access to the information they needed to effectively advise the development of NHSX App.xiii Furthermore, the Information Commissioner’s Office has been steadily refusing to hold Government to account, as Open Rights Group has thoroughly documented in our submission to the DCMS Committee.xiv This state of affairs has not changed, as the ICO keeps defining itself as a “critical friend” despite DHSC admitting they have broken the law.

Insecure systems and lack of confidentiality.

On top of the issues already mentioned regarding Test and Trace data, NHSX produced an insufficient DPIA for their Contact Tracing App,xv failing to mitigate the risks regarding the processing of digital contact tracing data. Furthermore, residents who were testing the App in the Isle of Wight were exposed to serious security flawsxvi—in the words of the National Cyber Security Centre, deliberate “compromises were made in the name of timeliness”.xvii

Parliament needs to act.

The Joint Committee for Human Rights proposed a Bill to establish additional legal safeguards over the use of digital contact tracing data,xviii an initiative which Open Rights Group and other civil society organisations supported.xix

However, the Secretary of State dismissed JCHR concerns, saying out that “once data have been collected, we are bound to the strict obligations set out in the GDPR, the Human Rights Act, […] and the common law duty of confidentiality”.xx Contrary to these premises, however, the Secretary of Health now states that he “won’t be held back by bureaucracy”,xxi and the DHSC keeps claiming—against the opinion of their own lawyers—that DPIAs are in place and the system is operating lawfully.xxii

While this attitude is hardly indicative of a shift of approach, the integrity of Government programmes such as Test and Trace cannot be risked. Therefore, we call for the Joint Committee for Human Rights to voice their concern, and avoid public health programmes being run at the expenses of fundamental rights.

Furthermore, as noted above enforcement of data protection rights is the task of the Information Commissioner’s Office. If, as we have seen, serious irregularities are a pattern, the ICO should be taking regulatory action including information notices, assessment notices and enforcement notices. It appears this has not happened. The JCHR should ask why not.

iBBC “Coronavirus: England’s test and trace programme ‘breaks GDPR data law’.” Source: https://www.bbc.com/news/technology-53466471

iiDepartment of Health and Social Care. Source: https://twitter.com/DHSCgovuk/status/1285148041117405184

iiiThe Times “Coronavirus contact tracers sharing patients’ data on WhatsApp and Facebook. Source: https://www.thetimes.co.uk/edition/news/coronavirus-contact-tracers-sharing-patients-data-on-whatsapp-and-facebook-rg3zqn5l6

ivThe Telegraph “Test and trace is being used to harass women – already.”Source: https://www.telegraph.co.uk/women/life/test-trace-used-harass-women-already/

vThe Independent SAGE Report 4, p. 3. Source: https://www.independentsage.org/wp-content/uploads/2020/06/IndependentSAGE-report-4.pdf

viItalian Data Protection Authority [Garante per la protezione dei dati personali] Source: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9356588#english

viiFrance 24 “France rolls out Covid-19 tracing app amid privacy debate.” Source: https://www.france24.com/en/20200602-france-rolls-out-covid-19-tracing-app-amid-privacy-debate

viiiBBC “Germany has its Covid-19 app, so where’s the UK’s?” Source: https://www.bbc.com/news/technology-53069690

ixFinancial Times “UK starts to build second contact tracing app.” Source: https://www.ft.com/content/446df516-4ec5-4c06-b39f-dd89ea5f6f0b

xJCHR “Letter to Rt Hon Matt Hancock MP, regarding Government’s plans to use digital technologies, dated 28 April.” Source: https://committees.parliament.uk/publications/819/documents/5276/default/

xiThe Telegraph “NHS under fire for plans to store track and trace data for 20 years.” Source: https://www.telegraph.co.uk/technology/2020/05/28/nhs-fire-plans-store-track-trace-data-20-years/

xiiSource: https://contact-tracing.phe.gov.uk/help/privacy-notice

xiiiThe Telegraph “NHS contact-tracing app ethics board kept in the dark over trial.” Source: https://www.telegraph.co.uk/technology/2020/05/11/nhs-contact-tracing-app-ethics-board-kept-dark-trial/

xivOpen Rights Group “Written Evidence to the Science and Technology Committee”. Source: https://committees.parliament.uk/writtenevidence/7529/pdf/

xvMicheal Veale, “Analysis of the NHSX Contact Tracing App ‘Isle of Wight’ Data Protection Impact Assessment.” Retrieved at: https://osf.io/preprints/lawarxiv/6fvgh

xviBBC “Coronavirus: Security flaws found in NHS contact-tracing app.” Source: https://www.bbc.com/news/technology-52725810

xvii NCSC, “NHS Covid-19 app security: two weeks on.” Source: https://www.ncsc.gov.uk/blog-post/nhs-covid-19-app-security-two-weeks-on

xviiiSource: https://committees.parliament.uk/publications/1026/documents/8461/default/

xixOpen Rights Group, Article19, Index on Censorship, “Written evidence to the Joint Committee for Human rights.” Source: https://committees.parliament.uk/writtenevidence/5764/pdf/

xxResponse from Rt Hon Matt Hancock MP, regarding the Government’s plans to use digital technologies, dated 4 May. Source: https://committees.parliament.uk/publications/929/documents/7125/default/

xxiSource: https://twitter.com/OpenRightsGroup/status/1285260608875700225?s=20

xxiiThe Telegraph “Privacy body accuses NHS Test and Trace system of breaching data protection laws.” Source: https://www.telegraph.co.uk/news/2020/07/20/privacy-body-accuses-nhs-test-trace-system-breaching-data-protection/