‘Test and trace’ breaks GDPR?

Recently, the ICO commented that data protection rules must be followed, even in emergency situations like the current COVID-19 pandemic. Naturally, things make take a little longer than normal but there is no excuse for ignoring the rules.

So, can you imagine how embarrassing it is for the UK government, when the Department of Health had to admit that they launched the ‘Test and Trace’ programme without carrying out an assessment of its impact on yours and my privacy?

If you have attended any of my data protection workshops, or benefited from the Data Protection Review, you will know about the importance of a Data Protection Impact Assessment (“DPIA”), and how it is one of the foundations of demonstrating data protection by design and by default. Yet, the Department of Health chose not to undertake a DPIA for ‘Test and Trace’.

Against the background of a recent Sunday Times article, alleging that some contact tracers has posted private patient data to Facebook and WhatsApp groups, the choice not to undertake a DPIA is almost unbelievable.

A spokesman for the Department of Health said “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.” I somehow think the actions need to match the words.

If you want to make sure that you are using DPIA’s at the right times, enquire about my DPIA webinar.