What happened here:

ORG was already concerned because the App had a late and bad Data Protection Impact Assessment.

When the manual Track and Trace programme was launched at the end of May, Politico reported no DPIA had been done. https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/
We wrote to the Government, which said it had done a DPIA on CTAS. They obfuscated to us, trying to imply doing a DPIA on one part of the system was enough.

CTAS is the 'Contact Tracing and Advisory Service' web portal, one of several pieces of software. https://www.wired.co.uk/article/nhs-coronavirus-contact-tracing-calls
Faced with this obfuscation, we threatened the Government with a Judicial Review over their decision *not* to conduct a DPIA.

As this was simple matter, we asked for them to confirm in a week if they had done one, and if not, to conduct it. https://www.wired.co.uk/article/nhs-test-and-trace-data-protection
Two weeks since the threat of a court case, and after six weeks of correspondence, the Government admitted they had not done a DPIA, and said they were now doing one.
IMPORTANT:

Since Test and Trace is operating unlawflly and data breaches appear to be taking place, the @ICOnews needs to step in, demand documents, and identify changes to re-establish public trust.

Time to end the “critical friend” policy and Regulate #GDPR.
Here is the Government’s admission that they needed to do a DPIA at para 22:

https://www.openrightsgroup.org/app/uploads/2020/07/200715-PAP-Response-Letter.pdf
And let’s make this absolutely clear:

This admission was obtained only as the result of legal correspondence and the threat of Judicial Review.

For which @RaviNa1k and @A__W______O deserve the credit—thank you for making this happen!
You can follow @jimkillock.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: