UK Government Admits Failing to Assess ‘Test and Trace’ Privacy Risks Properly

By Robert Bateman

The U.K. government has admitted that its COVID-19 “test and trace” program was begun in May without an appropriate “data-protection impact assessment” (DPIA) in place, with experts telling Digital Privacy News that the omission represented a serious breach of privacy law.

The revelation came in a July 15 letter from the government’s legal department, shared with Digital Privacy News via a news release from U.K. campaigning organization the Open Rights Group.

A DPIA is required under U.K. law before commencing any project carrying a high risk to individual privacy. The government claimed to have conducted several DPIAs covering aspects of the program but admitted it should have completed an overarching assessment before it launched on May 28.

“While people may be treating this as a data-protection technicality, it actually has far more significant consequences,” Phil Booth, coordinator of U.K. medical privacy group medConfidential, told Digital Privacy News.

“If the government knowingly chooses not to comply with the law, it undermines the legitimacy of what it is doing with millions of people’s personal details.”

UK Agency Responds

A representative of the U.K. government’s Department of Health and Social Care told Digital Privacy News in an email: “It is completely wrong to claim that there are no DPIAs in place or that the NHS test and trace service is unlawful.

“We have undertaken a number of separate DPIAs covering the constituent parts of the NHS test and trace service, with more in development — including an overarching DPIA.

“If the government knowingly chooses not to comply with the law, it undermines the legitimacy of what it is doing with millions of people’s personal details.”

Phil Booth, medConfidential, U.K.

“An entire industry has been successfully set up at speed to tackle the most serious public-health crisis we have faced in a century,” the email continued. “Our priority has been to save lives and protect public health — and we will not apologize for doing so.

“NHS test and trace is committed to the highest ethical and data-governance standards — and there is no evidence of data being used unlawfully,” the representative said.

‘Criminal Abuse’ Fears

But the consequences of failing to properly assess the privacy risks before commencing such a project are severe, Booth argued, ranging from “relationship-wrecking embarrassment” to “outright discrimination” and “criminal abuse.”

MedConfidential, based in the U.K., is calling on the government to release all documents associated with the test and trace program, including any DPIAs it claims already have been carried out.

Kristina Podnar, an author and digital-policy consultant in Washington, said she believed the U.K. government’s actions followed a pattern of “indulgence” that has emerged over the past decade, “where government entities are allowed deviations from self-imposed regulations.”

“Government agencies are increasingly taking excused absence from established regulations and norms that were arrived at through due process for legitimate societal benefit,” Podmar told Digital Privacy News.

“Arbitrarily choosing when to take leave of established processes opens the door to even further non-adherence, setting a potentially dangerous precedent that checks and balances are unnecessary when it comes to governmental entities.”

Legal Precedent Set

By failing to uphold standards, governments “can set a legal precedent that businesses and other entities do not have to follow the same principles,” Podmar said, “signaling to business and society on the whole that there are no ways to achieve safety without the compromise of privacy, which is simply not true.”

“It is a slippery slope to pause or suspend data-protection in times of perceived stress.”

Kristina Podnar, digital-policy consultant, Washington.

Even during an emergency, privacy safeguards must be maintained, she argued.

“It is a slippery slope to pause or suspend data-protection in times of perceived stress,” Podmar said, “and one that can derail data-privacy protection for years or even decades to come. 

“This is not the time to erode the hard work achieved in digital privacy over the past decade.”

Robert Bateman is a writer in Brighton, U.K.

Sources (external link):