The Department of Health and Social Care (DHSC) has conceded the initiative to trace contacts of people infected with Covid-19 was launched without carrying out a Data Protection Impact Assessment (DPIA) – an assessment of its impact on privacy.
The DHSC, through a spokesperson, said there is no evidence of data being used unlawfully has added “NHS Test and Trace is committed to the highest ethical and data governance standards … while taking full account of all relevant legal obligations.”
However, the spokesperson for the DHSC did not respond when asked whether a report in The Sunday Times, which found Test and Trace workers were sharing patients’ confidential data on social media sites, was evidence of data being used unlawfully.
The ICO said that, while it recognised the urgency in rolling out the programme, if the public were to have confidence in handing over their data and that of their friends, “people need to understand how their data will be safeguarded and how it will be used”.
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. It is a legal requirement to carry a DPIA for processing that is likely to result in a high risk to individuals (as Track & Trace) is likely to be. The aim of DPIAs is to ensure that risks are mitigated before data processing occurs.
Instead, what appears to have happened in this instance is a rushed-out system, seemingly compromised by unsafe processing practices – a lesson for all organisations proposing to introduce or rely on new ways to process personal data.
According to Sky News, contractors working for NHS Test and Trace have been told they may be fired following reports of dozens of staff sharing patients’ confidential data on social media.