The NHS test and trace programme covering England was launched without regard for data privacy. Northern Ireland uses its own contact-tracing scheme.
The UK Government launched its Test and Trace programme on May 28 to track down individuals who may have come into contact with anyone infected by the virus that causes Covid-19. Those who test positive for the virus are asked for personal details on friends, family, and locations they have visited in order to help find those who may have been recently exposed and get them tested.
Since the system stores a great deal of personal information on people, the government was required to perform a mandatory data protection impact assessment prior to launching the scheme. Privacy organisation Open Rights Group (ORG) issued a legal letter to the Department of Health and Social Care two weeks ago asking for the assessment to be published, as it hadn't been made public.
The government's response to the legal challenge confirmed that there was no Data Protection Impact Assessment (DPIA) on the entire Test and Trace system yet. The ORG says that this means the programme has been operating illegally since it began on May 28th, and was disappointed that it took the threat of legal action for the government to admit it hadn't done the assessments.
The government's legal team responded that "The absence of a DPIA for every aspect of the programme cannot be and should not be equated with a failure to ensure that the protection of personal data has been an important part of the programme’s design and implementation. It is completely wrong to claim that there are no DPIAs in place or that the NHS Test and Trace service is unlawful."
As there are third party companies such as Amazon involved in processing the data collected for the Test and Trace programme, there are concerns that personal information from it could be misused. Northern Ireland has been running its own separate contact tracing programme, which hasn't come under fire for its data protection compliance.
