The Government has admitted that England’s Covid-19 Test and Trace programme has broken a data protection law, according to a letter sent to privacy campaigners.
The Department of Health and Social Care (DHSC) acknowledged it had failed to carry out a risk assessment on how the system would affect privacy.
It follows the threat of legal action from the Open Rights Group (ORG), which claims that the programme to trace contacts of those infected with Covid-19 has been operating unlawfully since its launch on May 28.
A spokesman for the DHSC said there is “no evidence” of data being used in an unlawful way.
Carrying out a Data Protection Impact Assessment (DPIA) – which helps to identify and mitigate risks relating to use of personal data – is a requirement under General Data Protection Regulation (GDPR) laws.
In response to a pre-action letter from privacy campaigning organisation ORG, the Government confirmed that, while a DPIA is a legal requirement, it has not yet been completed.
The letter from DHSC, which is dated July 15, said the legal requirement is being “finalised”.
Calling the Government’s behaviour “reckless”, Jim Killock, executive director of ORG, said: “We have a ‘world beating’ unlawful Test and Trace programme.
“A crucial element in the fight against the pandemic is mutual trust between the public and the Government, which is undermined by their operating the programme without basic privacy safeguards.”
Ravi Naik, legal director of the data rights agency AWO, instructed to act on behalf of ORG, said that failing to carry out the “appropriate assessment” meant all data collected is “tainted”.
“These legal requirements are more than just a tick-box compliance exercise,” he said.
“They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system. Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”
ORG is just one group to raise privacy concerns over the scheme, with a former Cabinet minister also previously warning of “serious errors” in its implementation.
Labour’s Lord Hain said last month that the NHS had failed to carry out its legal data protection obligations prior to the launch and had entered into data-sharing relationships “on unnecessarily favourable terms to large companies”.
A DHSC spokesman said: “There is no evidence of data being used unlawfully.
“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.
“We have rapidly created a large-scale test and trace system in response to this unprecedented pandemic.
“The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”
Since you are here
Since you are here, we wanted to ask for your help.
Journalism in Britain is under threat. The government is becoming increasingly authoritarian and our media is run by a handful of billionaires, most of whom reside overseas and all of them have strong political allegiances and financial motivations.
Our mission is to hold the powerful to account. It is vital that free media is allowed to exist to expose hypocrisy, corruption, wrongdoing and abuse of power. But we can't do it without you.
If you can afford to contribute a small donation to the site it will help us to continue our work in the best interests of the public. We only ask you to donate what you can afford, with an option to cancel your subscription at any point.
To donate or subscribe to The London Economic, click here.
The TLE shop is also now open, with all profits going to supporting our work.
The shop can be found here.
You can also SUBSCRIBE TO OUR NEWSLETTER .