Read on Twitter
New. Test and Trace has been operational for more than a month, 150,000 people have had data processed. The gov still hasn't completed a mandatory impact assessment to help protect privacy + rights. It now has a week or will be taken to court https://www.wired.co.uk/article/nhs-test-and-trace-data-protection
The legal ultimatum – a pre-action letter – was served to Matt Hancock and the Department of Health on July 1 by @OpenRightsGroup + @RaviNa1k. Gov has until July 8 to produce a Data Protection Impact Assessment (DPIA) for the whole of Test and Trace or will face a judicial review
A DPIA may sound like a box-ticking exercise but it's crucial. It is a chance for an organisation to think about the risks of handling people's personal data. It allows them to think: what could go wrong and what can we do to fix it. (Including: leaks, abuse of info + more)
Why does it matter even more with Test and Trace? Because it's a hugely complex scheme with a lot of moving parts. Huge amounts of personal data is being processed (sex, health info, contact details) and there are a lot of companies involved (Serco, SITEL, etc)
Because no overall DPIA has been done it's impossible to know how much thought the government has put into the Test and Trace risks (not just privacy, but human rights too). And even harder to know whether those risks have been mitigated too
The Department of Health refused to comment on potential legal action. However, emails between it and ORG say it has done DPIAs for parts of Test and Trace and believes this is enough
The legal letter says risks have only been looked at in “a few narrow parts” of Test and Trace
The legal letter says risks have only been looked at in “a few narrow parts” of Test and Trace
What does the data protection regulator say? @ICOnews says it is reviewing a DPIA for 'parts' of Test and Trace. Its full statement below
The government has already made concessions on Test and Trace. The original privacy notice, which still stands, said people's data would be kept for 20 years.
After questioning, officials conceded that this is being changed to eight years. Little explanation was given
After questioning, officials conceded that this is being changed to eight years. Little explanation was given
Context is important. Test and Trace launched quickly with thousands of new employees. There's been criticism around training, suppliers, and tools used. The more transparency there is in data protection, the more confidence people can have in the system https://www.wired.co.uk/article/nhs-test-and-trace-data-protection
To update this thread. The government took two weeks to respond to the legal letter. In its response it admitted it hadn't completed the mandatory impact assessment when Test and Trace started, and... still hasn't done so https://www.wired.co.uk/article/nhs-test-and-trace-unlawful-data
