The U.K. government violated data privacy regulated Europe’s GDPR by implementing a NHS Test and Trace program to monitor the spread of COVID-19 without also establishing a required Data Protection Impact Assessment (DPIA).

Privacy advocacy organization Open Rights Group (ORG) issued a complaint against Public Health England (PHE), which launched the program on May 28, about the DPIA still not available. PHE indicated on June 1 it would provide the assessment to data protection watchdog Information Commissioner’s Office (ICO) the following week.

Six weeks later, the DPIA wasn’t made available publicly, and ORG deemed the program unlawful.

“I’d be surprised if the government hadn’t already conducted an existing assessment for this type of data in other parts of the NHS and have a good understanding of the issues concerning patient and citizen data,” commented James Chappell, co-founder and chief innovation officer of Digital Shadows to SC. Media

“Typically, the Senior Responsible Officer (SRO) in a government program would appoint someone as a Data Protection Officer (DPO) who would have governance responsibility,” Chappell said. “The effort required is typically at the level of a few weeks,” he said, noting that Test and Trace was rolled out against shortened timescales. “It’s not currently clear to what degree this was missed or if it was a conscious decision.”

“There is no evidence of data being used unlawfully. NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,” a spokesman for the Department for Health and Social Care said. “We have rapidly created a large scale test and trace system in response to this unprecedented pandemic. The programme is able to offer a test to anyone who needs one and trace the contacts of those who test positive, to stop the spread of the virus.”

Although the pandemic interrupted the British government’s quest to pull out of the European Union (EU),it’s unlikely that Brexit would offer an escape from GDPR, under which the need for DPIA falls.

Prefacing his remarks that he’s not a lawyer, Chappell observed that while the U.K. has formally left the EU, it is still governed by the GDPR until Dec. 31, 2020, “whilst we await the outcome of negotiations between the U.K. and EU.” 

Chappell also pointed out that the U.K. has implemented almost all of GDPR’s provisions in the defecting country’s Data Protection Act legislation to align with the GDPR. 

“It is likely therefore that the Information Commissioners Office will take an interest in this matter,” he added.

“It is an organization’s responsibility to complete a data protection impact assessment as a way of identifying and addressing key privacy questions. There is not always a requirement for that DPIA to be shared with us,” theregister.com cited an ICO spokesperson as saying. “In this case, we have been working with government as a critical friend to provide guidance and advice for some elements of the scheme and to seek assurances that people’s personal data is protected.

“We recognize the urgency in rolling out the test and trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated. People need to understand how their data will be safeguarded and how it will be used.”