UK Track And Trace Scheme Broke UK Data Protection, Campaigners Claim

ICO, data protection, GDPR

Campaigners claim that UK’s track and trace scheme broke data protection laws, but experts say non-compliance understandable considering unprecedented emergency

Privacy campaigners the Open Rights Group (ORG) claim the UK Government’s Coronavirus track and trace program broke a key British data protection law.

It comes after the Department of Health conceded the initiative was launched without carrying out an assessment of its impact on privacy, the BBC reported.

The impact of the global Coronavirus pandemic continues to be felt in the West, four months after many countries entered lockdown. Countries such as South Africa, India, Brazil and the United States continue to see sharp rises in infections.

coronavirus Image credit: Centres for Disease Control and Prevention
Image credit: Centres for Disease Control and Prevention

Data protection

“The Government’s Test and Trace Programme risks the privacy rights of hundreds of thousands (if not millions) of individuals in the UK whose personal data has been or will be processed through the Programme,” alleged the Open Rights Group.

“Government has not made the effort to check our data is safe. They are making the same privacy missteps that damaged the NHSX tracker app,” it alleged. “We are forced to take action, because the Information Commissioner is not doing its job. When the regulator fails, it is up to us to step in.

The campaign group says that the UK initiative has been unlawful since it began on 28 May.

But the government said there is no evidence of data being used unlawfully, with Education Secretary Gavin Williamson stating that “In no way has [there] been a breach of any of the data that has been stored.”

“I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed,” he told BBC Breakfast. “Are you really advocating that we get rid of a test and trace system? I don’t think you are.”

ORG has reportedly threatened to take the government to court over the matter, to force it to conduct a data protection impact assessment (DPIA) – a requirement under the General Data Protection Regulation (GDPR) for projects that process personal data.

The Information Commissioner Office (ICO) has reportedly confirmed it is working the Government to make sure the scheme is in compliance with data protection laws.

Pandemic shortcuts

The spat over the UK’s scheme that was rushed out during a pandemic, and its compliance with UK data protection laws, drew a response from industry experts.

“In a pandemic, shortcuts are taken on regulations with the bigger picture in mind about the safety of people’s lives,” noted Jake Moore, cybersecurity specialist at ESET. “However, this has been detrimental to individual privacy, and has left the protection of our private data open to abuse – unfortunately, this could be precisely where criminals will strike.”

“We have seen bar staff make unwarranted contact with pub goers, which is just the start of unwanted contact and shows how it could be used in the wrong hands,” said Moore. “Moreover, such disingenuous use of the track and trace program could lead to people leaving false contact details behind, potentially causing the programme to fall over before it has had a chance to show how powerful it could be in reducing the spread of Covid-19.”

Poor governance?

Another expert said the Department for Health had shown poor governance for not carrying a data protection assessment, eventhough it was in the middle of a global pandemic.

“We all understand the need for those setting up the track and trace capability to act quickly, but the ICO is, I believe, going to struggle to enforce aspects of the Data Protection Act 2018 given the example that has been set by the Government during 2020,” said Darren Wray, CTO at data privacy experts Guardum.

“The revelation that a Data Privacy Impact Assessment was not performed as part of the track and trace project, shows exceedingly poor governance and control,” said Wray. “In the private sector, organisations are expected to ensure that Data Privacy and Protection controls are a part of their business as usual processes, not something that is revisited in hindsight.”

“I respect the Education Secretary’s position when he said that ‘In no way has [there] been a breach of any of the data that has been stored,’ but there are two vital points, that Graham Williamson is perhaps missing, it often takes time for organisations to realise that they have experienced a data breach and secondly breach protection is what many would consider to be the very lowest bar in data protection requirements, English data protection legislation raised the bar well above this over 20 years ago,” he concluded.

Lives at risk

But another expert said the government was dealing with the challenges of an unprecedented health emergency, with lives at stake, so missing compliance formalities was understandable.

“In light of the circumstances, I would not cast any sinister light or raise any doubts on the currently unfinished DPIA assessment of the programme,” said Ilia Kolochenko, founder & CEO of web security company ImmuniWeb.

“This pandemic has brought us the challenges of unprecedented complexity, emergency and scale making most of the common procedures and formalities unfeasible,” Kolochenko added.

“Unless there is a clear and convincing evidence of any material non-compliances or misuse of the data, I’d refrain from criticising the approach selected by the UK government to handle the programme urgently,” said Kolochenko.

“Were they mechanically following all of the compliance formalities through the jungles of bureaucracy, they would likely have endangered many innocent lives by the delay and also inflicted incalculable financial damage upon the spiraling economy,” said Kolochenko.

“It is now important to rigorously follow DPIA procedures to retroactively confirm and duly validate the programme’s data protection and privacy in accordance with the enacted law,” Kolochenko concluded. “It is highly unlikely that under the circumstances anyone will have a viable claim for relief against the UK government.”

Can you protect your privacy online? Take our quiz!