Comment: England's COVID-19 Test and Trace Programme 'breaks GDPR data law'

BB News reported that privacy campaigners say England’s coronavirus test and trace program has broken a key data protection law. The program was launched without carrying out an assessment of its impact on privacy as conceded by the Department of Health. It involves people being asked to share sensitive personal information. This can include:

  • their name, date of birth and postcode
  • who they live with
  • places they recently visited
  • names and contact details of people they have recently been in close contact with, including sexual partners.
EXPERTS COMMENTS
Jake Moore, Cybersecurity Specialist,  ESET
July 21, 2020
In a pandemic, shortcuts are taken on regulations with the bigger picture in mind about the safety of people’s lives.
In a pandemic, shortcuts are taken on regulations with the bigger picture in mind about the safety of people’s lives. However, this has been detrimental to individual privacy, and has left the protection of our private data open to abuse – unfortunately, this could be precisely where criminals will strike. We have seen bar staff make unwarranted contact with pub-goers, which is just the start ....
[Read More >>]
Kelvin Murray, Senior Threat Research Analyst,  Webroot
July 21, 2020
With apps such as these, uptake will be based on trust.
Given the urgency in rolling out the test and trace programme, it is clearly challenging to balance the importance of public data privacy with the need to track the epidemic accurately to keep people medically safe. This was always going to be difficult given the timeframe, but privacy and security still need to be front of mind when dealing with any personal data. This is especially important wi ....
[Read More >>]
Ilia Kolochenko, CEO,  ImmuniWeb
July 21, 2020
It is highly unlikely that under the circumstances anyone will have a viable claim for relief against the UK government.
In light of the circumstances, I would not cast any sinister light or raise any doubts on the currently unfinished DPIA assessment of the programme. This pandemic has brought us the challenges of unprecedented complexity, emergency, and scale making most of the common procedures and formalities unfeasible. Unless there is clear and convincing evidence of any material non-compliances or misuse of ....
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
July 21, 2020
For practical purposes, the DPIA is a risk mitigation exercise designed to identify any data processing limits that should be employed.
The Open Rights Group raises an interesting question related to the development of new applications in a GDPR world. On the surface, Article 35 outlines a set of requirements under which a Data Protection Impact Assessment (DPIA) should be performed. For practical purposes, the DPIA is a risk mitigation exercise designed to identify any data processing limits that should be employed. The ultimate ....
[Read More >>]

