Personal identifiable information collected by the newly introduced NHS Test and Trace program, put in place to control the spread of coronavirus in the UK, will be kept for a period of 20 years. This is according to new privacy guidelines laid out by the Public Health England (PHE), raising fresh questions around how COVID-19 might impact the use of personal information by the UK government.
PHE’s privacy notice, which lays out the objectives of the NHS Test and Trace programme, claims to have been established to allow patients who are infected with COVID-19, or those showing symptoms of the disease, to provide information about their health condition.
This includes the ability to enter more information over the course of time, as well as to provide the information of contacts of people infected with COVID-19.
The data collected from any person to test positive with COVID-19 would include their full name, date of birth, sex, physical address, telephone number and email address. Moreover, data collected from their close contacts would similarly include the person’s full name, date of birth and contact details.
For both categories of people, the NHS Test and Trace system would ask the contacts to provide the information via a phone call, SMS or email.
“COVID-19 is a new disease and it is not yet clear what its longer term impacts on public health will be, either on people who have been diagnosed with the disease or their close contacts,” reads an statement released by PHE. On these grounds, it goes on, it is important for NHS Test and Trace to be able to retain information about patients and their contacts to help control any future outbreaks or to provide any new treatments.
“This information will be held securely by Public Health England and only used for purposes that help protect the public’s health from COVID-19,” the statement adds.
How NHS Track and Trace claims to protect privacy
According to the PHE, the data they collect is protected and held in a secure cloud environment. The only people with access to the data, according to them, are those who have a legitimate and specific function in the UK’s COVID-19 response, such as staff who are working on the NHS Test and Trace program.
“No information that could identify any person with coronavirus, including those who are showing symptoms, or the people they have been in contact with, will be published by PHE,” the privacy notice reads.
According to the public health plan, NHS Test and Trace is set to work in conjunction with a still-to-be-released mobile app, designed to use Bluetooth technology to trace the contacts of those with whom a COVID-19 patient had had contact.
In the wake of COVID-19, claims are questionable
The statement has ignited new privacy fears, especially in light of the length of time in which the data will be stored. These fears are likely exacerbated by the fact that—while people will be able to request that their information be deleted—PHE has nevertheless warned that “this is not an absolute right” and that it might “need to continue to use your information”.
The concerns go further still. According to David Grout, a technology executive at data security firm FireEye, despite PHE’s best efforts, privacy concerns around NHS Test and Trace are nevertheless not only to be expected—but also justified.
“The length of time the data is being stored for, and the lack of personal control on how the data is being used and kept are bound to cause privacy concerns,” he explained to UK newspaper The Independent. “This might not be too much of a headache for the government while manual tracking is the norm, but it will become more of an issue when NHSX’s contact-tracing app is launched, as this will rely on the public opting in for the project to work.
“Concerns surrounding the usage of the data in the app and how long the data is stored could well affect the number of downloads of a full national rollout,” Grout adds.
Furthermore, questions around preparedness and haste have also fed into the growing concerns around privacy. According to John Leonard, research director at online magazine Computing, the language used in relation to the NHS Test and Trace system showed signs of being hastily cobbled together, suggesting that is may have not been thoroughly deliberated.
“The website shows signs of having been rushed out, using US terminology such as ‘personal identifiable information’ which has no legal meaning in the UK, for example,” noted Leonard in a column.
Ultimately, however, privacy advocates will likely end up being particularly worried about the development in the wake of a number of high-profile botches with respects to patient data being compromised by the NHS in the past, perhaps most notably the care.data saga of 2014, when it emerged that the NHS had been sharing data with private companies.