The NHS test and trace system rolled out by the Government to limit the spread of the coronavirus asks people to share their data including their:
- Who they live with;
- Places they have recently visited; and
- Name and contact details of people they have recently been in contact with.
This information is classed as personal data for the purposes of the General Data Protection Regulation (GDPR). As a result, data protection laws need to be followed.
Data Protection Impact Assessment (DPIA)
It is a requirement under GDPR to carry out a DPIA to help identify and minimise potential data protection risks of a project.
You must conduct a DPIA where processing is likely to result in a high risk to individuals. This involves:
- Describing the nature, scope, context and purpose of the processing;
- Assessing the necessary, proportionality and compliance measures;
- Identifying and assessing risks to individuals; and
- Identifying any additional measures to mitigate those risks.
Government failure to undertake a DPIA prior to the roll out of the NHS test and trace system
The Government has admitted that they failed to carry out a DPIA prior to the implementation of the NHS test and trace scheme. The scheme is therefore technically in breach of data protection laws.
Whilst understandably this omission is likely to be a result of the urgent need to implement the scheme, technically there has still been a breach of GDPR.
The Government has however confirmed that they are now working with the Information Commissioner’s Office to make sure that the data is being processed in line with GDPR.