Coronavirus: England’s Test and Trace App Unlawful Under GDPR

Governemnt admits that England's coronavirus tracking app has been operating unlawfully since it rolled out on 28th May 2020 as they failed to conduct a data protection impact assessment

Last Updated on

England’s coronavirus Test and Trace s system violates data protection laws, says The Open Rights Group (ORG). In a letter to the ORG, the Department of Health admitted that the Covid-19 Test and Trace app, which allows employees to contact the people who have tested positive to self-isolate, was launched before a data protection impact assessment (DPIA) had been conducted.

Despite the government claiming none of the data from the app had been breached, this means that the Test and Trace system has been operating unlawfully since it was rolled out on 28th May. 

Speaking on BBC Breakfast, education secretary Gavin Williamson said: “In no way has [there] been a breach of any of the data that has been stored,” adding, “I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed…. Are you really advocating that we get rid of a test and trace system? I don’t think you are.”

While the ability to test and trace those who have contracted the disease is an essential part of the battle against the pandemic, so is the public’s trust in both the government and public health service which, says ORG executive director Jim Killock, has been “undermined by their operating the programme without basic privacy safeguards”. 

Killock also branded the Government “reckless,” as the government “rushed” the online tracking system, blatantly violating the General Data Protection Regulation (GDPR), which protects privacy and identity online, generating privacy concerns

Speaking to PCGuide, Ray Walsh of Pro Privacy said “Whenever a system like this is rolled out – that will collect and process consumer data en masse – it is vital for Data Protection Impact Assessment to be made to ensure that any data is being collected and processed in such a way that will not harm users’ privacy.

“Now, it would appear that in its rush to start tracking and tracing the UK government bypassed this important step of the process”.

The way that the system works is that when authorities contact someone who has tested positive, they are asked to provide them information about themselves and the people they’ve been in contact with, including their name, date of birth, postcode, who they live with, places they recently visited and names and contact details of people they have recently been in close contact with, including sexual partners, all of which can be stored for up to 20 years (“an excessive length of time,” says Ray). 

This is concerning as these people may not know that their data and information is being harvested in this way, and that it is easily accessible to some 27,000 employees. The app makes users’ data vulnerable without providing any prior warning, which can usually be avoided with the use of a VPN. But, for people using the app on their phone, this could spell trouble in the form of their data being misused. 

Ray added: “The fact that an impact assessment was not made raises huge concerns for the public and means that members of the general public are much less likely to actually want to fully cooperate with track and trace operatives if and when they are contacted.

“Nobody is suggesting that Test and Trace stop — because it is important to be able to know when there are local outbreaks, and there is a need for localized lockdowns and restrictions. 

“What we want is for the government to do the things it was meant to have done in the first place to ensure any risks are removed, and to provide the general public with transparency about how their data will be protected throughout the process”.