The Open Rights Group (ORG) has forced the Department of Health to admit it is not compliant under General Data Protection Regulation (GDPR) as it didn’t follow the right procedures.
Under GDPR, organisations are compelled to undertake accountability and governance procedures to identify and minimise the data protection risks of a project. One of these steps is a Data Protection Impact Assessment (DPIA) to identify risks and assess necessity, proportionality and compliance measures. It is an important box to tick but was seemingly forgotten during the creation of the UK’s Test and Trace programme, which is increasingly looking like little more than an embarrassment to the nation.
“The reckless behavior of this Government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health,” said Jim Killock, Executive Director of Open Rights Group.
“We have a ‘world beating’ unlawful Test and Trace programme.”
Over the last several weeks, the Department of Health and Social Care and the NHS has been attempting to use technology to combat the coronavirus pandemic, though the results have been less than satisfactory.
Aside from a calamitous development roadmap where civil servants decided to go against the advice of Silicon Valley, the Test and Trace programme has also seen personal information shared by contract tracers over WhatsApp, while contact information has allegedly been used to harass women.
This latest incident is another indication of the inability of the political elite and the NHS to grasp technology or the nuances of the digital economy.
Two weeks ago, the ORG wrote a letter to the Department of Health and Social Care asking for the DPIA to be published. Embarrassingly, the Government Legal Department was forced to write back admitting it had not conducted a DPIA and the process is currently being finalised. Interestingly enough, despite suggesting a DPIA was going to be taking place, the lawyers believe it is not legally necessary under GDPA. Or, the DPIA can be conducted whenever the Government feels.
“The revelation that a Data Privacy Impact Assessment was not performed as part of the track and trace project, shows exceedingly poor governance and control,” said Darren Wray, CTO of big data firm Guardum.
“In the private sector, organisations are expected to ensure that Data Privacy and Protection controls are a part of their business as usual processes, not something that is revisited in hindsight.
This has been little more than a disaster from start to finish, demonstrating that public servants should stick to what they do best and leave the complicated jobs to those who know what they are doing.