UK Covid-19 tracing app and GDPR implications

UK Covid-19 tracing app and GDPR implications

Authorities worldwide have been using technology to help curve the spread of the Covid-19 pandemic. The UK government has been running the Test and Trace program since May 2020 but have not carried out the Data Protection Impact Assessment (DPIA) required by the EU General Data Protection Regulation (GDPR). Under this law, companies and government agencies can face fines up to 4% of annual revenues if they mishandle people’s data.

“We have a ‘world beating’ unlawful Test and Trace programme”, said Jim Killock, Executive Director of Open Rights Group- protects the digital rights in the UK- in a press release published on July 20, 2020. “We were forced to threaten Judicial Review to ensure that people’s privacy is protected”, added Killock. 

On July 20, 2020, The Department of Health and Social Care said in a tweet reply, “There is no evidence of data being used unlawfully. NHS Test and Trace is committed to the highest ethical and data governance standards”.

This App has been implemented as part of the UK government’s initiative to inform people that they have been in contact with others infected by Covid-19. Personal information including email addresses, phone numbers, ZIP code, names, and addresses are set to be held by the government for up to 20 years. This information can be used later for research related to the Covid-19 pandemic, monitoring the progress and development of the virus as well as planning actions in response.

The Open Rights Group (ORG) has been in touch with the government to ask for a DPIA claiming that the so-called “Test & Trace Programme” violates Article 35 of the GDPR. According to the EU regulations, “the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”.  On July 15, 2020, the Government Legal Department responded to ORG in a letter. The defendant acknowledges the importance of the DPIA to protect personal data. The Department of Health and Social Care (DHSC) admitted that Test and Trace were deployed unlawfully. However, they avowed that the DPIA is currently being finalized.

“The primary focus of all of those involved in the Programme has been to ensure it functions effectively to save lives and protect public health,” the government’s legal team states in response to the ORG threat of legal proceedings, according to Wired. UK. On the other hand, Julia Thompson, a spokeswoman, said that Public Health England is working on the Data Protection Impact Assessment and will be published shortly, according to Politico.

Robert Hannigan, a former director of the government’s intelligence and security organization, GCHQ said, “The App is not a threat to individuals” because it only records a person’s postcode alongside a unique reference number for each phone”, according to The Guardian.

The Test and Trace App was first tested on the Isle of Wight during the first week of May before being implemented in the UK.  The App sends an alert for people if they have been in touch with someone diagnosed with Covid-19. According to the BBC, the NHS Covid-19 App is designed to use citizen’s smartphones to keep track of their presence next to each other by sending Wireless Bluetooth signals.

More than 155,000 people who may have been infected with the virus have been contacted by the program staff, according to ZDNeT. However, the Times.UK sates that Covid-19 patient’s details have been shared on Facebook and WhatsApp – a breach of the data protection law.

A debate took place on whether data collected through the App would be destroyed after the pandemic. However, retaining some data is crucial and will help the NHS track outbreaks in case of the future spread of the virus.