UK Gov’t Breaks Privacy Law via NHS Test and Trace Program


Following a legal challenge and backlash from privacy and free speech organization, Open Rights Group (ORG), the British government has been forced to admit that its Test and Trace program had not passed the required privacy risk assessment. The program has been launched on May 28, 2020.

The government admission follows after the Open Rights Group penned a legal letter to the Department of Health and Social Care two weeks ago, says The Wired.


In a statement, executive director of ORG Jim Killock said, “The reckless behavior of this government in ignoring a vital and legally required safety step known as the data protect impact assessment (DPIA) has endangered public health. We have a ‘world-beating’ unlawful test-and trace programme.”

NHS Test and Trace Program



“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards. The government bears responsibility for the public health consequences,” continued Killock.

The Test and Trace program initiative by the NHS has already experienced three major data breaches after launching. Email mishaps, as well as personal information being disseminated via training materials, have reportedly been made available.

Likewise, Forbes reports that individuals involved with the NHS Test and Trace program have been revealing names, numbers, and contact information of people who have tested positive for the virus. This information has reportedly been circulating on social networking sites such as Facebook and WhatsApp.

Other details that may have been compromised by the government initiative include the date of birth, sex, email address, telephone number, as well as patient symptoms suffered by the individuals in question.

Of the 1,956,198 individuals tested for the virus, Wired UK states that 34,990 of these have tested positive. The details of COVID-19 positive patients were in turn given to the contact tracing initiative.

Following the accusations, BBC reports that the British government said it had been working closely alongside the Information Commissioner’s Office to ensure that the information is processed accordingly.

In a statement, a representative for the secretary of health Matt Hancock said, “it would have been preferable for there to have been a single DPIA in place prior to the commencement of the Programme.” Despite this admittance, the government maintains that the required risk assessment is being finalized.

In addition to complying with the DPIA regulations, the government has also agreed to retain personal information to eight years from the initial 20-year period, which ORG says is already a personal win.