The UK Government has reportedly admitted its coronavirus Test and Trace program breached privacy regulations when it was launched two months ago without a Data Protection Impact Assessment. The news comes as it was revealed dozens of staff shared patient’s private data on WhatsApp and Facebook.
Sky News reports: “Confirmation the programme failed to adhere to privacy regulations comes as Sky News can reveal that contractors working for NHS Test and Trace have been told they may be fired following reports of dozens of staff sharing patients’ confidential data on social media.”
According to The Times, screenshots containing the names, NHS numbers, contact details and case IDs of people who have tested positive for the virus were shared on Facebook and WhatsApp in unregulated social media groups.
The NHS Test and Trace is a service operated by the National Health Service in England and was established on 28 May to help prevent the spread of COVID-19.
The government website states:
“[The program] ensures that anyone who develops symptoms of coronavirus (COVID-19) can quickly be tested to find out if they have the virus, and also includes targeted asymptomatic testing of NHS and social care staff and care home residents.
“Helps trace close recent contacts of anyone who tests positive for coronavirus and, if necessary, notifies them that they must self-isolate at home to help stop the spread of the virus.”
The website goes on to assure patients that all private information that’s provided to the NHS test and trace service is “held in strict confidence and will only be kept and used in line with the Data Protection Acts 2018.”
Jill Killock, Executive Director of Open Rights Group said in a statement that emergency remedial steps will need to be taken.
“The reckless behavior of this Government in ignoring a vital and legally required safety step known as the Data Protection Impact Assessment (DPIA) has endangered public health. We have a ‘world beating’ unlawful Test and Trace programme.
“A crucial element in the fight against the pandemic is mutual trust between the public and the Government, which is undermined by their operating the programme without basic privacy safeguards. The Government bears responsibility for the public health consequences.
Killock continued: “The Test and Trace Programme is central to easing the lockdown and getting the economy growing again. The ICO should have taken action but did not. We were forced to threaten Judicial Review to ensure that people’s privacy is protected.
“The ICO and Parliament must ensure that Test and Trace is operating safely and lawfully. As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken,” she added.