UK.gov admits it has not performed legally required data protection checks for COVID-19 tracing system • The Register
The UK authorities has admitted it deployed the COVID-19 Check and Hint programme and not using a Information Safety Impression Evaluation (DPIA) required by legislation, in response to privateness campaigners the Open Rights Group (ORG).
The ORG mentioned the Division of Well being and Social Care (DHSC) had confirmed in writing that the impression evaluation had not been carried out following its authorized grievance to knowledge safety watchdog the Info Commissioner’s Workplace (ICO).
The failure to fulfill the authorized requirement means the federal government’s “total check and hint programme has been working unlawfully since its launch on 28th Might 2020,” the ORG mentioned.
On 1 June, Public Well being England, which runs the programme, issued a press release saying it was “at present working to finish the DPAI for NHS Check and Hint and has dedicated to supply this doc to the ICO subsequent week”.
Authorized grievance lodged with UK knowledge watchdog over claims coronavirus Check and Hint programme flouts GDPR
It was unable to clarify to The Register why, after greater than a month, the impression evaluation had not been accomplished, and as an alternative deferred to the Division for Well being and Social Care.
A DHSC spokesperson mentioned: “There is no such thing as a proof of information getting used unlawfully. NHS Check and Hint is dedicated to the very best moral and knowledge governance requirements – gathering, utilizing, and retaining knowledge to struggle the virus and save lives, whereas taking full account of all related authorized obligations.
“We have now quickly created a big scale check and hint system in response to this unprecedented pandemic. The programme is ready to supply a check to anybody who wants one and hint the contacts of those that check optimistic, to cease the unfold of the virus.”
Steerage and recommendation
An ICO spokesperson mentioned: “It’s an organisation’s duty to finish an information safety impression evaluation as a manner of figuring out and addressing key privateness questions. There may be not all the time a requirement for that DPIA to be shared with us.
“On this case, now we have been working with authorities as a essential buddy to supply steering and recommendation for some parts of the scheme and to hunt assurances that folks’s private knowledge is protected.
“We recognise the urgency in rolling out the check and hint service throughout a well being emergency, however for the general public to have belief and confidence at hand over their knowledge and that of their buddies and households, there’s additionally work wanted to make sure the dangers to that non-public knowledge are correctly and transparently mitigated. Individuals want to grasp how their knowledge might be safeguarded and the way it will likely be used.”
Training secretary Gavin Williamson advised BBC Breakfast: “By no means has [there] been a breach of any of the information that has been saved.
“I feel your viewers will perceive that if we’re to defeat this virus, we do must have a check and hint system and we needed to get that up and operating at unimaginable pace… Are you actually advocating that we do away with a check and hint system? I do not suppose you might be.”
However Neil Brown, director of tech legislation agency decoded.authorized, advised The Reg the concept that the federal government complies with the legislation or acts at pace in creating the system was a false dichotomy.
“I do not see why they could not have assessed the impression of what they’re proposing on the basic rights of individuals right here, whereas they have been going via the method,” he mentioned. “It is one thing that different organisations do on a regular basis.”
He added that any organisation assessing the information safety dangers and dealing to mitigate them as they design and roll out the system wouldn’t discover the method too onerous. “If what you’ve got performed is designed your total system and also you’re able to go, and out of the blue suppose, ‘I have not performed my knowledge safety impression evaluation’, and then you definately’re attempting to jot down it in a manner that reveals however the resolution you discovered is totally compliant with the legislation: that would take longer,” Brown mentioned.
He additionally commented that the ICO gave the impression to be working with the federal government quite than regulating. “Nowhere within the Information Safety Act can I discover the place it says that one in every of duties of the ICO is to be a ‘essential buddy’: it is a regulator.” ®