A UK privacy group says there is now proof for its suspicion that the government unlawfully launched and operated the COVID-19 Test and Trace program of the country’s healthcare service, NHS.
The program was launched on May 28, but as the Open Rights Group has now learned from the Department of Health and Social Care, the authorities never carried out the legal obligation to perform a Data Protection Impact Assessment that should be submitted to the Information Commissioner’s Office (ICO).
Back on June 1, Public Health England, who are directly responsible for operating the program, said this would be done the following week – however that didn’t materialize.
This organization “was unable to explain” why this is the case.
You may remember how have the NHS’s tracing program didn’t do much to quash people’s fears that it would be a privacy nightmare and it was breaching GDPR from the offset.
Instead of saying why the data protection impact assessment was still missing, this agency said there was “no evidence of data being used unlawfully.” The underlying message of a spokesperson’s response is that people whose data is collected in this way should trust the authorities to collect and use it ethically – even though they just acted unlawfully when failing to observe the procedure necessary to deploy this type of program.
Read the full letter here.
Next, an ICO spokesperson said that while organizations do have to produce impact assessment – they don’t actually “always” have to share it with this office.
Moreover, instead of assertively protecting personal data as a regulator, the ICO describes itself as “working with government as a critical friend to provide guidance and advice” in this particular case.
The haste with which the program was rolled out and the fact it fell short of meeting privacy protection obligations is justified by the need to act quickly in a health emergency, and of course, “save lives.”
In essence, the issue of saving lives (even if the claim may be questionable) is being pitted against privacy and data safety, and the authorities are banking on citizens choosing the former every time.
However, people like Neil Brown of tech law firm decoded.legal see this as a false dichotomy.
“I don’t see why they couldn’t have assessed the impact of what they’re proposing on the fundamental rights of people here, while they were going through the process. It’s something that other organizations do all the time,” he told the Register.