Read on Twitter
WIn for @OpenRightsGroup:
Government admits to ORG that England's test and trace programme 'breaks GDPR data law' https://www.bbc.co.uk/news/technology-53466471
Government admits to ORG that England's test and trace programme 'breaks GDPR data law' https://www.bbc.co.uk/news/technology-53466471
What happened here:
ORG was already concerned because the App had a late and bad Data Protection Impact Assessment.
When the manual Track and Trace programme was launched at the end of May, Politico reported no DPIA had been done. https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/
ORG was already concerned because the App had a late and bad Data Protection Impact Assessment.
When the manual Track and Trace programme was launched at the end of May, Politico reported no DPIA had been done. https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/
We wrote to the Government, which said it had done a DPIA on CTAS. They obfuscated to us, trying to imply doing a DPIA on one part of the system was enough.
CTAS is the 'Contact Tracing and Advisory Service' web portal, one of several pieces of software. https://www.wired.co.uk/article/nhs-coronavirus-contact-tracing-calls
CTAS is the 'Contact Tracing and Advisory Service' web portal, one of several pieces of software. https://www.wired.co.uk/article/nhs-coronavirus-contact-tracing-calls
Faced with this obfuscation, we threatened the Government with a Judicial Review over their decision *not* to conduct a DPIA.
As this was simple matter, we asked for them to confirm in a week if they had done one, and if not, to conduct it. https://www.wired.co.uk/article/nhs-test-and-trace-data-protection
As this was simple matter, we asked for them to confirm in a week if they had done one, and if not, to conduct it. https://www.wired.co.uk/article/nhs-test-and-trace-data-protection
Meanwhile stories like this emerged, contact tracers using social media groups to solve issues with their software, and sharing patient data on them: https://www.thetimes.co.uk/edition/news/coronavirus-contact-tracers-sharing-patients-data-on-whatsapp-and-facebook-rg3zqn5l6
Two weeks since the threat of a court case, and after six weeks of correspondence, the Government admitted they had not done a DPIA, and said they were now doing one.
IMPORTANT:
Since Test and Trace is operating unlawflly and data breaches appear to be taking place, the @ICOnews needs to step in, demand documents, and identify changes to re-establish public trust.
Time to end the “critical friend” policy and Regulate #GDPR.
Since Test and Trace is operating unlawflly and data breaches appear to be taking place, the @ICOnews needs to step in, demand documents, and identify changes to re-establish public trust.
Time to end the “critical friend” policy and Regulate #GDPR.
GOVT SPIN:
The Govt is telling journalists that there is “no evidence” of “unlawful data processing”.
What their letter (linked here) says is that the *programme* was operating unlawfully. https://www.openrightsgroup.org/press-releases/government-admits-test-and-trace-unlawful/
The Govt is telling journalists that there is “no evidence” of “unlawful data processing”.
What their letter (linked here) says is that the *programme* was operating unlawfully. https://www.openrightsgroup.org/press-releases/government-admits-test-and-trace-unlawful/
Here is the Government’s admission that they needed to do a DPIA at para 22:
https://www.openrightsgroup.org/app/uploads/2020/07/200715-PAP-Response-Letter.pdf
https://www.openrightsgroup.org/app/uploads/2020/07/200715-PAP-Response-Letter.pdf
And let’s make this absolutely clear:
This admission was obtained only as the result of legal correspondence and the threat of Judicial Review.
For which @RaviNa1k and @A__W______O deserve the credit—thank you for making this happen!
This admission was obtained only as the result of legal correspondence and the threat of Judicial Review.
For which @RaviNa1k and @A__W______O deserve the credit—thank you for making this happen!
