A CTO at a data privacy company has said the UK government’s test and trace programme has shown poor governance and control.
Sky News was reported that the government admitted the contact tracing programme, seen as key in the efforts to defeat Coronavirus, was unlawful in a legal letter which said it had been running in breach of data protection laws since it was launched in May.
According to the legal letter, the government did not conduct a data privacy impact assessment (DPIA) which is required to ensure that breaches of patients' information don't take place.
The letter was sent in response to a legal challenge brought by Open Rights Group (ORG) against the government for failing to confirm whether it had met the required safeguards for the programme.
The government was legally required to have a completed DPIA at the time Test and Trace launched on 28 May.
The government, including a spokesman for the Department of Health, and education secretary Gavin Williamson, have said that the data is not being used unlawfully.
Darren Wray, CTO at Guardum said: “We all understand the need for those setting up the track and trace capability to act quickly, but the ICO is, I believe, going to struggle to enforce aspects of the Data Protection Act 2018 given the example that has been set by the government during 2020.
“The revelation that a DPIA was not performed as part of the track and trace project, shows exceedingly poor governance and control. In the private sector, organisations are expected to ensure that data privacy and protection controls are a part of their business as usual processes, not something that is revisited in hindsight.
“I respect the education secretary's position when he said that "In no way has [there] been a breach of any of the data that has been stored," but there are two vital points, that Gavin Williamson is perhaps missing, it often takes time for organisations to realise that they have experienced a data breach and secondly breach protection is what many would consider to be the very lowest bar in data protection requirements, English data protection legislation raised the bar well above this over 20 years ago.”
