Privacy campaigners accuse the UK government of violating data protection laws through the creation of the government's coronavirus Test and Trace app, which is yet to be released publicly.
The Open Rights Group (ORG), a free-speech campaigning organization, confirmed that it would be making a complaint to the Information Commissioner's Office (ICO) over the national rollout of the app in the wake of the Covid-19 pandemic.
- Best antivirus: stay safer online with watertight virus protection
- VPN: add a layer of extra protection thanks to a virtual private network
- Just in: Where to buy face masks and coverings online
The organization has also written a letter to UK health secretary Matt Hancock, to the CEO of NHSX (the agency meant to bring the National Health Service up to speed with the latest technology), Matt Gould, and to the chief executive of Public Health England (PHE), Duncan Selbie, to ask for information on the data safeguards of the app.
In its complaint, ORG accuses the NHS and PHE of failing to complete a Data Protection Impact Assessment, which required by law through the General Data Protection Regulation.
ORG said this was necessary “given the system is experimental and the sensitive nature and scale of the data being processed", adding that both health organizations are in breach of GDPR as they confirmed that a data protection impact assessment wasn’t conducted.
'Public health objectives are being undermined'
Campaigners at ORG also called the app’s 20-year data-retention period excessive while questioning its commercial and research purposes. They also claim to have found unspecified security issues that put people at risk and said the app’s privacy notice is flawed.
Jim Killock, Executive Director of Open Rights Group, called on the ICO to act and enforce the law, accusing the Government of moving too fast with the roll out.
He said: “If they carry on in this manner, public confidence will be undermined, and people will refuse to engage with the Track and Trace programme. Public health objectives are being undermined by failures to get privacy and data protection basics in place.”
The complaint will be filed by Ravi Naik, Legal Director of the data rights agency AWO. He also criticized the app for its approach to data protection, saying: “Rushing out Test and Trace without following basic legal requirements is troubling. These legal obligations are not simply a compliance point.
“They are designed to ensure that risks are identified and mitigated. Not conducting these assessments has caused our client’s concern that those risks have not been properly thought through.”