LONDON – The UK government admitted its contact tracing program is unlawful in a legal letter which confirms it has been running in breach of data protection laws since it was launched in May. Confirmation the program failed to adhere to privacy regulations comes as Sky News can reveal that contractors working for NHS Test and Trace have been told they may be fired following reports of dozens of staff sharing patients’ confidential data on social media.
According to the legal letter, the government did not conduct a data privacy impact assessment (DPIA) which is required to ensure that breaches of patients’ information don’t take place. The letter was sent in response to a legal challenge brought by Open Rights Group (ORG) against the government for failing to confirm whether it had met the required safeguards for the program.
In the letter, which has been seen by Sky News, the government’s lawyers accept that the government was legally required to have a completed DPIA at the time Test and Trace launched on May 28. The lawyers add that a single one covering the whole of the project has still not been completed, but was being worked on and that a number of DPIAs covering different parts of it were in place.
A Spokesperson for the Department of Health and Social Care claimed the program is “not being used unlawfully” and that it was “only handling NHS patients’ data”, claiming, “There is no evidence of data being used unlawfully.” They stressed that the contact-tracing program had been “developed quickly as part of the public health emergency caused by the pandemic”.
“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,” they added.
The spokesperson did not respond when asked whether a report in The Sunday Times, which found Test and Trace workers were sharing patients’ confidential data on social media sites, was evidence of data being used unlawfully. Sky News has seen internal communications from NHS Test and Trace warning contractors that “patient identifiable information must never be posted” on social media.
The spokesperson said, “Any such examples which come to light will be dealt with through the appropriate employment processes.”
This message was first circulated to workers on July 13 before being repeated on July 16. Jim Killock, the executive director of ORG, described the government as reckless in “ignoring a vital and legally required safety step”.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards,” Killock noted.
“The Information Commissioner’s Office and Parliament must ensure that Test and Trace is operating safely and lawfully,” he said, adding, “As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken.”