While I wait for a reply to my email to the @PHE_uk DPO, I note that the Test & Trace Privacy Notice has had a bit of a face lift.
It still does not refer to ‘personal data’ but to ‘personally identifiable information’
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷🏼♂️" title="Man shrugging (medium light skin tone)" aria-label="Emoji: Man shrugging (medium light skin tone)">
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🙇♂️" title="Man bowing deeply" aria-label="Emoji: Man bowing deeply"> https://twitter.com/privacymatters/status/1265894639938215937">https://twitter.com/privacyma...
It still does not refer to ‘personal data’ but to ‘personally identifiable information’
It’s a revised notice - Version: 00.04
First published: 28 May 2020. The one yesterday on launch day was Version 00.03 First Published 04 March 2020.
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤔" title="Thinking face" aria-label="Emoji: Thinking face">
The revised notice does a better job of explaining the role of infectious diseases contact tracing - a better job
First published: 28 May 2020. The one yesterday on launch day was Version 00.03 First Published 04 March 2020.
The revised notice does a better job of explaining the role of infectious diseases contact tracing - a better job
“NHS Test and Trace is a website that has been set up by Public Health England to help manage the process of identifying and contacting people who may have been infected with this new disease.”
Oh FFS. “To trace the contacts of people with COVID-19, NHS Test and Trace needs to collect personally identifiable information” <dear @PHE_uk the law, your obligations & our rights are based on personal data/ special categories of personal data and NOT PII
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷🏼♂️" title="Man shrugging (medium light skin tone)" aria-label="Emoji: Man shrugging (medium light skin tone)">
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🙇♂️" title="Man bowing deeply" aria-label="Emoji: Man bowing deeply">
I kept a copy of the Privacy Notice from yesterday.
Changes not in presentation of what information is collected and why .. but addition of data too. For example, the notice now advises that a person testing positive will also be asked to confirm their & #39;sex& #39;.
Changes also to
Changes not in presentation of what information is collected and why .. but addition of data too. For example, the notice now advises that a person testing positive will also be asked to confirm their & #39;sex& #39;.
Changes also to
information requested about & #39;close contacts"
Yesterday PHE_UK would ask you to provide the "full name, home postcode and house number, telephone number, email address [of close contacts]"
Today , PHE_UK will ask to people testing positive to ...
Yesterday PHE_UK would ask you to provide the "full name, home postcode and house number, telephone number, email address [of close contacts]"
Today , PHE_UK will ask to people testing positive to ...
"to provide the contact details of anyone they have been in close contact with" <this is too ambiguous & not acceptable. What is meant by & #39;contact details& #39;?
One can only assume those details will include mobile number /email address.
One can only assume those details will include mobile number /email address.
A new section is added. & #39;How the information is used& #39; that essentially describes data processors used to support Test & Trace. One hopes due diligence has been done & appropriate governance measures are in place
I asked the PHE_UK for such info in my email yesterday. Let& #39;s see
I asked the PHE_UK for such info in my email yesterday. Let& #39;s see
Oh FFS. Why, when the @PHE_UK did a facelift to the Privacy Notice did they not address this: "The personally identifiable information collected by NHS Test and Trace is protected in several ways." <the obligations, restrictions & individual rights in the GDPR & UK DPA2018 apply
& #39;personal data& #39; & & #39;special categories of personal data& #39; as defined in those laws & through case law. They do NOT refer anywhere in their texts to & #39;personally identifiable information& #39; (yday @PHE_UK used the & #39;personal identifiable information& #39;) - this really is not appropriate.
The section & #39;How the information is protected& #39; is a bit longer in today& #39;s face-lifted privacy notice. It provides broader details of the categories of those who can & #39;see& #39; the information.
Folks have "have been trained to protect the confidentiality of people" <I hope that training is not based on the concept of & #39;personally identifiable information& #39; but as the law applies to & #39;personal data& #39; and & #39;special categories of personal data& #39;.
Hmm. Changes to the section & #39;How long the information is kept& #39;. The changes alter significantly how the rules on ata retention apply and who to ... and muddies the water.
Also, data will be used to "provide any new treatments" - this needs clarification
Also, data will be used to "provide any new treatments" - this needs clarification
I would suggest the Section 251 does not address matters as they should be https://twitter.com/EinsteinsAttic/status/1266142308921151489?s=20
In">https://twitter.com/Einsteins... my email I asked if they could confirm the approval and precisely what data and for what purposes will such data be used under the Section 251 approval
In">https://twitter.com/Einsteins... my email I asked if they could confirm the approval and precisely what data and for what purposes will such data be used under the Section 251 approval
And the last observation of the facelift, is the change from a & #39;Privacy Notice& #39; to & #39;Privacy Information& #39; - I wonder why they changed that.
Still a lot to answer.
Still a lot to answer.
and then in a major failing "Public Health England... confirmed to POLITICO that it had yet to complete a so-called data protection impact assessment — a mandatory requirement under U.K. law — before the system started on Thursday." https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/">https://www.politico.eu/article/u...