The United Kingdoms coronavirus tracing system did not complete mandatory privacy checks before the service began on Thursday.
The so-called “test and trace” rollout will see thousands of people handing over their personal data to U.K. authorities via contact tracers as part of efforts to inform others if they have been in contact with people infected with the virus. The personal information, including names, zip codes, phone numbers and email addresses, will be held by government bodies for up to 20 years.
But Public Health England, the agency overseeing the system in England, confirmed to POLITICO that it had yet to complete a so-called data protection impact assessment — a mandatory requirement under U.K. law — before the system started on Thursday.
“Public Health England, supported by the NHS Business Services Authority, is preparing a data protection impact assessment for the NHS Test and Trace system,” Julia Thompson, a spokeswoman, said in a statement. It “expects to publish this shortly.”
Under U.K law, such an assessment, detailing the potential privacy concerns of collecting reams of peoples sensitive data, is obligatory and must be completed before data collection begins. It has to be submitted to the countrys privacy watchdog for review.
Ravi Naik, a data rights lawyer who has been critical of the governments contact-tracing plans, told POLITICO the failure to carry out the assessment before data collection had raised concerns that U.K. authorities had not fully addressed the potential privacy implications. It could also open up the contact-tracing system to potential legal challenges.
“If they have deployed the system without considering those risks, that is a problem and may further undermine efforts to get people to take part in the system,” he said in reference to the U.K. government. “Confidence and trust is key. Missteps like this will only lose public trust.”
Under U.K. rules, companies and government agencies can face fines of up to 4 percent of annual revenues if they mishandle peoples data. Earlier this year, for instance, the countrys Financial Conduct Authority referred itself to the U.K.s privRead More – Source