UK Test and Trace system accused of breaching privacy

In early July the Open Rights Group issued a pre-action legal letter to UK health secretary Matt Hancock and the Department of Health and Social Care saying they have breached requirements under the Data Protection Act 2018 and GDPR by failing to conduct an impact assessment for the Test and Trace system. ORG and its lawyers, AWO, had been asking for details of the DPIA since the beginning of June, a few days after the system was launched. In their response, the DHSC’s lawyers said “there were DPIAs - and accompanying privacy notices - undertaken for both the testing and contact tracing advisory service”. In mid-July, DHSC admitted that the DPIA had not been completed and said it was working with the Information Commissioner’s Office to “finalise” the legal requirement. Failure to meet the requirement could land the DHSC in court. The Test and Trace system involves numerous private companies including Serco UK, SITEL Group, and Amazon Web Services. Between the service’s launch on May 28 and July 8 the service tested 1,956.198 people and passed the details of 34,990 cases to the contact tracing operation. Because Test and Trace is voluntary, public trust is crucial to its success, yet there have been reports of contact tracers sharing private patient information in WhatsApp and Facebook goups.

Publications: Wired; Wired; Evening Standard;

Writer: Matt Burgess; Harriet Brewis