The UK’s information rights body must act to ensure the Government stops “playing fast and loose” with people’s health, it has been claimed.
A cross-party group of MPs has written to the Information Commissioner, Elizabeth Denham, raising concerns over the Government’s approach to data protection and privacy.
In a letter, the group accused ministers of paying “scant regard” to both privacy concerns and data protection duties during the Covid-19 pandemic.
It accused the Government of engaging with private contractors that have “problematic reputations” to process personal data, and said it had built a contact tracing proximity app that centralised and stored more data “than was necessary, without sufficient safeguards”.
On releasing the app for trial, the group noted, ministers failed to notify the Information Commissioner in advance of its data protection impact assessment.
The group also said the Government admitted it had breached its data protection obligations by failing to conduct an impact assessment prior to the launch of their Test and Trace programme.
Calling for action to establish public confidence, the group said it is now “imperative” that action is taken.
They wrote: “The Government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism.
“Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.”
The letter added: “ICO action is urgently required for Parliament and the public to have confidence that their data is being treated safely and legally, in the current Covid-19 pandemic and beyond.”
Green MP Caroline Lucas, one of the signatories to the letter, raised the issue of data protection directly with Health Secretary Matt Hancock in the Commons last month.
She said: “Running a risk assessment on data protection is not an optional extra. It’s a legal requirement and it’s essential if people are to be reassured that when they hand over their data to contact tracers, that data won’t be misused.
“We will only get through this Covid pandemic if there is trust in ministers and in the systems they put in place. That trust is already being stretched wafer thin.
“If people are to have confidence in the Test and Trace system, there must be an assessment of the risk of data leaks and measures put in place to prevent them.”
Jim Killock, executive director of the Open Rights Group, who organised the letter, warned the ICO about avoiding the fate of Public Health England – with its closure announced this week by the Government.
He said: “There is something rotten at the heart of the ICO that makes them tolerate Government’s unlawful behaviour.
“The ICO is a public body, funded by the taxpayers, and accountable to Parliament. They must now sit up, listen, and act.
“As a regulator, ICO must ensure that the Government upholds the law. They must heed the lessons from what’s happened to Public Health England.
“The only way to avoid that fate is to enforce the law and discharge their legal responsibility properly.”
Labour MP Clive Lewis, a signatory to the letter, said: “The ICO needs to act to ensure the Johnson government stops playing fast and loose with people’s health and safety.
“The Johnson government brought this programme forward more quickly than was practical, and we are all paying the consequences. Privacy is fundamental to trust.
“The ICO must investigate and force the Government to fix the problems, to avoid a wider breakdown in trust.”
An ICO spokeswoman said: “Our regulatory obligations include advising as well as supervising the work of data controllers.
“Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK Government, the NHS, local councils and private sector organisations to respond to the public health crisis.
“We understand and recognise the Government and other organisations had to act quickly to deal with the national health emergency and we have explained their data protection obligations and provided guidance and expertise at pace to them.
“We have published much of this work so there is transparency and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.
“We will continue to uphold people’s information rights and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.”
A Department of Health and Social Care (DHSC) spokeswoman said: “It is completely wrong to claim that there are no data protection impact assessments (DPIAs) in place or that the NHS Test and Trace service is unlawful.
“We have undertaken a number of separate DPIAs covering the constituent parts of the NHS Test and Trace service, with more in development including an overarching DPIA.
“An entire industry has been successfully set up at speed to tackle the most serious public health crisis we have faced in a century – our priority has been to save lives and protect public health and we will not apologise for doing so.
“NHS Test and Trace is committed to the highest ethical and data governance standards and there is no evidence of data being used unlawfully.”