The government skipped essential data privacy impact assessments in its rush to get the system up and running
Personal data is usually kept super-safe under onerous government restrictions – for the obvious risk of it falling into the wrong hands. But the pub landlord is less likely to have a data security policy, so it is easy to see how the list of drinkers can fall into the hands of a barman. Or even a customer. It gives an ominous new meaning to track-and-trace and undermines the basic privacy issues that this system raises.
The so-called “test and trace” rollout will see thousands of people handing over their personal data to U.K. authorities via contact tracers as part of efforts to inform others if they have been in contact with people infected with the virus. The personal information, including names, zip codes, phone numbers and email addresses, will be held by government bodies for up to 20 years.
But Public Health England, the agency overseeing the system in England, confirmed to POLITICO that it had yet to complete a so-called data protection impact assessment — a mandatory requirement under U.K. law — before the system started on Thursday.
Under U.K law, such an assessment, detailing the potential privacy concerns of collecting reams of people’s sensitive data, is obligatory and must be completed before data collection begins. It has to be submitted to the country’s privacy watchdog for review.
- Groups hit out over threat of forced 14-day quarantine for test and trace scheme
- It comes as the NHS Test and Trace scheme faced issues on its first official day
- Other groups have raised concerns over how people’s data will be stored safely