While I wait for a reply to my email to the @PHE_uk DPO, I note that the Test & Trace Privacy Notice has had a bit of a face lift.

It still does not refer to ‘personal data’ but to ‘personally identifiable information’ 🤷🏼‍♂️🙇‍♂️ https://twitter.com/privacymatters/status/1265894639938215937
It’s a revised notice - Version: 00.04
First published: 28 May 2020. The one yesterday on launch day was Version 00.03 First Published 04 March 2020. 🤔

The revised notice does a better job of explaining the role of infectious diseases contact tracing - a better job
“NHS Test and Trace is a website that has been set up by Public Health England to help manage the process of identifying and contacting people who may have been infected with this new disease.”
Oh FFS. “To trace the contacts of people with COVID-19, NHS Test and Trace needs to collect personally identifiable information” <dear @PHE_uk the law, your obligations & our rights are based on personal data/ special categories of personal data and NOT PII 🤷🏼‍♂️🙇‍♂️
I kept a copy of the Privacy Notice from yesterday.

Changes not in presentation of what information is collected and why .. but addition of data too. For example, the notice now advises that a person testing positive will also be asked to confirm their 'sex'.

Changes also to
information requested about 'close contacts"

Yesterday PHE_UK would ask you to provide the "full name, home postcode and house number, telephone number, email address [of close contacts]"

Today , PHE_UK will ask to people testing positive to ...
"to provide the contact details of anyone they have been in close contact with" <this is too ambiguous & not acceptable. What is meant by 'contact details'?

One can only assume those details will include mobile number /email address.
A new section is added. 'How the information is used' that essentially describes data processors used to support Test & Trace. One hopes due diligence has been done & appropriate governance measures are in place

I asked the PHE_UK for such info in my email yesterday. Let's see
👆"They are data processors acting on the instructions of the Department of Health and Social Care and cannot use the contract tracing information for any other purpose."
Oh FFS. Why, when the @PHE_UK did a facelift to the Privacy Notice did they not address this: "The personally identifiable information collected by NHS Test and Trace is protected in several ways." <the obligations, restrictions & individual rights in the GDPR & UK DPA2018 apply
'personal data' & 'special categories of personal data' as defined in those laws & through case law. They do NOT refer anywhere in their texts to 'personally identifiable information' (yday @PHE_UK used the 'personal identifiable information') - this really is not appropriate.
The section 'How the information is protected' is a bit longer in today's face-lifted privacy notice. It provides broader details of the categories of those who can 'see' the information.
Folks have "have been trained to protect the confidentiality of people" <I hope that training is not based on the concept of 'personally identifiable information' but as the law applies to 'personal data' and 'special categories of personal data'.
Hmm. Changes to the section 'How long the information is kept'. The changes alter significantly how the rules on ata retention apply and who to ... and muddies the water.

Also, data will be used to "provide any new treatments" - this needs clarification
🤷‍♂️ Why is the @PHE_UK still sating this? "The law on protecting personally identifiable information, known as the General Data Protection Regulation (GDPR) ..." < the law is about 'personal data' and special categories of personal data and not personally identifiable information
I would suggest the Section 251 does not address matters as they should be https://twitter.com/EinsteinsAttic/status/1266142308921151489?s=20

In my email I asked if they could confirm the approval and precisely what data and for what purposes will such data be used under the Section 251 approval
And the last observation of the facelift, is the change from a 'Privacy Notice' to 'Privacy Information' - I wonder why they changed that.

Still a lot to answer.
and then in a major failing "Public Health England... confirmed to POLITICO that it had yet to complete a so-called data protection impact assessment — a mandatory requirement under U.K. law — before the system started on Thursday." https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/
You can follow @PrivacyMatters.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: