A critical NHS project to track the spread of coronavirus and help reopen the economy has been hit by a legal challenge over privacy concerns and fears about who will be able to access sensitive personal data to be held for 20 years.
The NHS’s Test and Trace system is facing a challenge after Open Rights Group, a privacy campaign group reported the programme to the UK’s data watchdog, the Information Commissioner’s Office (ICO).
The group claims insufficient safeguards exist for sensitive health data that will be collected on potentially millions of people. It is also concerned about who will have access to the data and how it will be used for years to come.
According to a complaint seen by The Telegraph, advocates say the system has so “far fallen” short of basic UK privacy requirements and called for “appropriate enforcement action”.
It warned of a “high risk” to peoples’ data, arguing safeguards including a data protection impact assessment should have been set out clearly before its launch under existing UK rules.
Under the new NHS Test and Trace system, which was launched last week, people who have tested positive for coronavirus will be contacted by contact tracers and asked to identify others they may have come into contact with who are at risk of infection.
They are then asked to provide details including their symptoms, name, date of birth, gender, NHS Number, email, address and phone numbers.
They are also asked to share contact details of anyone they may have come into close contact with, who will in turn be asked to isolate. NHSX, the health service’s technology arm, is also working on a smartphone app to assist with its manual contact-tracing process.
The Test and Trace scheme is viewed as vital to help slow the spread of the virus by rapidly tracking down people at high risk of infection. However, advocates are concerned about the privacy implications of the massive data gathering campaign and what will happen to the data once the pandemic is over.
In a separate letter to Matthew Gould, chief executive of NHSX, lawyers for Open Rights Group, a digital advocacy group, warned failure to carry out the correct assessments could “leave you open to enforcement action, including a fine of up to €10m (£9m)”.