The EU’s General Data Protection Regulation (GDPR) requires member states to conduct a data protection impact assessment (DPIA) for any project that creates a potentially high risk to the security and privacy of the expected data subjects. New reporting indicates that the UK Test and Trace contact tracing program has skipped that assessment, though the program has been in development since May.
Though the UK is in the midst of breaking off from the EU, it is currently in a transitional period that lasts until the end of 2020. During that time the EU GDPR continues to apply in the country. As of 2021 the UK will introduce its own version of the GDPR that sits parallel to the EU version and is very similar in its terms, something that is necessary for it to maintain a “secure third country” status for personal data transfer purposes once the full split happens.
UK Test and Trace and the mandatory data protection impact assessment
At the very least, it is known that UK Test and Trace did not conduct the necessary DPIA that the GDPR requires for something that collects personal information on this sort of scale. Privacy campaigners, such as the Open Rights Group (ORG), take it a step further and claim that the UK Test and Trace program’s methods of collection are openly violating GDPR requirements.
For its part, the UK government has acknowledged the lack of a DPIA but claims that there is no evidence of unlawful collection or use of personal data.
UK Test and Trace was initiated on May 28, and quickly entered a contentious developmental period that saw the UK government initially plan to develop its own contact tracing app before scrapping the plans in June and switching to a model based on the API that Apple and Google are offering to world governments. The country still does not have a contact tracing app in place, but is conducting a more traditional effort that asks those who have received a Covid-19 diagnosis to log into the UK Test and Trace website to register their personal information. The site asks for name, date of birth, postcode, other residents of the household, a list of places recently visited, and the contact information of anyone that has been within six feet for a period of at least 15 minutes. Pubs and restaurants are also required to keep certain information about customers for a limited period of time.
ORG and similar privacy advocate groups claim the UK government rushed the process, and that it is legally obligated to conduct a data protection impact assessment under the terms of the GDPR. The program employs about 27,000 contact tracers who have to date been in touch with over 155,000 people. The close contacts of known Covid-19 patients are asked to get tested and self-isolate for two weeks if they are experiencing symptoms, but the program does not have any mandatory components at present. Those who are contacted or diagnosed are not obligated to give over contact information nor are any fines presently levied for non-compliance.
Potential GDPR compliance issues
A spokesperson for Public Health England verified that a DPIA was being prepared for UK Test and Trace when the program launched in late May, but it has yet to emerge. The primary purpose of the assessment is to determine how the personal data being collected might be compromised and ensure that adequate safeguards are in place. This process would be overseen by the Information Commissioner’s Office (ICO), however, so it would appear that the UK is regulating itself on this issue. The ICO has positioned itself as a “critical friend” of the government on this issue, focusing on providing advice and guidance rather than strict regulation.
There is the possibility of ORG bringing legal action to attempt to force ICO’s hand, and any enforcement action that developed would likely consist of fines under the GDPR’s terms. ORG is attempting to crowdfund the resources to bring a court case if necessary. The data protection impact assessment situation highlights one of the ongoing predicaments of the GDPR throughout Europe; it has plenty of teeth for government-appointed data protection authorities (DPAs) to take measures against private companies, but meaningful enforcement becomes much more difficult when a government agency is the culprit.
The crux of the UK Test and Trace issue is the potential of data being used unlawfully, of which there is no indication at present. Absent that element, Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, believes that the DPIA flap will ultimately not amount to much of anything: “In light of the circumstances, I would not cast any sinister light or raise any doubts on the currently unfinished DPIA assessment of the (UK Test and Trace) program. This pandemic has brought us the challenges of unprecedented complexity, emergency and scale making most of the common procedures and formalities unfeasible … It is now important to rigorously follow DPIA procedures to retroactively confirm and duly validate the program’s data protection and privacy in accordance with the enacted law. It is highly unlikely that under the circumstances anyone will have a viable claim for relief against the UK government.”