The so-called “test and trace” rollout will see thousands of people handing over their personal data to U.K. authorities via contact tracers as part of efforts to inform others if they have been in contact with people infected with the virus. The personal information, including names, zip codes, phone numbers and email addresses, will be held by government bodies for up to 20 years.
But Public Health England, the agency overseeing the system in England, confirmed to POLITICO that it had yet to complete a so-called data protection impact assessment — a mandatory requirement under U.K. law — before the system started on Thursday.
Under U.K law, such an assessment, detailing the potential privacy concerns of collecting reams of people’s sensitive data, is obligatory and must be completed before data collection begins. It has to be submitted to the country’s privacy watchdog for review.