Experts: UK’s 20-Year Retention of Health Data Violates Law

By Robert Bateman

The U.K.’s National Health Service (NHS) has set up a “Test and Trace” program to help track the spread of COVID-19. 

The program, rolled out May 28, involves “contact-tracing” — gathering information about COVID-19 patients and those with whom they have been in contact, with an aim to slow the spread of the virus.

But privacy experts have expressed outrage at the decision to store the personal information of COVID-19 patients for 20 years.

“They are playing fast and loose with what is for many people their most sensitive personal information, concerning their health,” Jim Killock, executive director of U.K.’s Open Rights Group, told Digital Privacy News.

NHS officials and Public Health England, the government agency administering the program, did not immediately respond to requests for comment.

“They are running risks they don’t understand, because they haven’t assessed them.”

Jim Killock, Open Rights Group, UK.

The Open Rights Group has filed a complaint with the U.K.’s privacy regulator, alleging that Test and Trace “has been deployed in breach” of the country’s General Data Protection Regulation.

“The NHS have given no justification for their 20-year retention period,” the group said in a news release last week. “No doubt they think there are research purposes and commercial reasons to keep the data.

“But convenience is not the same as necessity — 20 years seems, frankly, excessive.”

Asked whether he believed the program brought inherent security risks, Killock said: “We are extremely concerned that the NHS went ahead without conducting a data-protection impact assessment.

“They are running risks they don’t understand, because they haven’t assessed them,” he told Digital Privacy News.

GDPR requires a data-protection impact assessment for any project that represents a high risk to individual privacy.

“If the NHS wants people to participate, it needs their trust,” Killock said. “They are actively undermining that trust.”

‘Inconsistent,’ Scholar Says

Subhajit Basu, associate professor of information technology law at Leeds University, argued that the program appeared “inconsistent with liberal democracy.”

“It is clear that the 20-year period is arbitrary.”

Subhajit Basu, Leeds University.

Under GDPR, Basu told Digital Privacy News, personal information should be kept for only as long as is necessary, and “should be deleted once the legitimate purpose for which it was collected has been fulfilled.”

According to the NHS Test and Trace privacy notice, personal information “needs to be kept for this long … to help control any future outbreaks or to provide any new treatments.”

However, Basu claimed: “It is clear that the 20-year period is arbitrary. The explanation around ‘prevention of a future pandemic’ feels like an engineered argument.

“It is perhaps the most obscure explanation ever given, and completely disregards the clear and precise explanation the law mandates.”

Allowable Under Law

Digital Privacy News also spoke to Anouk Ruhaak, U.K.-based Mozilla fellow and a data-governance expert.

“Under the GDPR, it is allowable to keep data for longer periods of time,” she said. “Even if it’s collected for a completely different purpose, you can hold onto it for research purposes, especially for academic research that benefits the general public.”

Health data can be put to good or bad uses, said Ruhaak, from “helping society understand long-term impacts of COVID-19,” to determining “who is allowed to participate in society and who is not.”

“Under the GDPR, it is allowable to keep data for longer periods of time.”

Anouk Ruhaak, UK data-governance expert.

But, Ruhaak argued, retaining sensitive data for long periods is only justifiable “with the proper controls and with a very specific purpose,” neither of which is apparent in this case.

Robert Bateman is a writer in Brighton, U.K.

Source (external link):
NHS: Test and Trace Privacy Information