This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again.

Coronavirus: England's test and trace programme 'breaks GDPR data law'

Privacy campaigners say England's test and trace programme has broken a key data protection law.

The Department of Health has conceded the initiative to trace contacts of people infected with Covid-19 was launched without carrying out an assessment of its impact on privacy.

The Open Rights Group (ORG) says the admission means the initiative has been unlawful since it began on 28 May.

The government said there is no evidence of data being used unlawfully.


The test and trace system involves people being asked to share sensitive personal information. This can include:

  • their name, date of birth and postcode
  • who they live with
  • places they recently visited
  • names and contact details of people they have recently been in close contact with, including sexual partners.

"In no way has [there] been a breach of any of the data that has been stored," said Education Secretary Gavin Williamson.

He told BBC Breakfast: "I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed.... Are you really advocating that we get rid of a test and trace system? I don't think you are."

ORG had threatened to go to court to force the government to conduct a data protection impact assessment (DPIA) - a requirement under the General Data Protection Regulation (GDPR) for projects that process personal data.

Scotland, Wales and Northern Ireland all carry out parallel contact-tracing schemes of their own but have not been accused of the same failing.

'Rushed-out system'

The government has told the ORG it is working with the Information Commissioner's Office to make sure that data is processed in accordance with the requirements of the law.

The ICO confirmed this and told the BBC it was providing guidance as "a critical friend".

But the regulator added that, while it recognised the urgency in rolling out the programme, if the public were to have confidence in handing over their data and that of their friends, "people need to understand how their data will be safeguarded and how it will be used".

The watchdog is already investigating the Test and Trace programme after the Sunday Times reported last week that some contact tracers had posted private patient data to WhatsApp and Facebook groups.

A Department of Health spokeswoman said: "NHS Test and Trace is committed to the highest ethical and data governance standards - collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations."

The ORG's complaint stems from work carried out on its behalf by Ravi Naik, a lawyer at the AWO data rights consultancy.

He said the legal requirements for data processing were more than just a tick-box exercise.

"They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system," he explained.

"Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices."

Mr Naik added the ORG had already won a concession from the government. It had originally planned to keep data for 20 years but has now cut that to eight years.

Since the test and trace programme was launched, its 27,000 staff have contacted more than 155,000 people, who may have been infected with the virus, and asked them to go into isolation.

Source: BBC

Share This Post

related posts

On Top