“Specific and legitimate role’ is one of the most vaguely defined terms I’ve ever seen in a privacy notice…”
NHS Test and Trace ran into headwinds today as it launched, as the Health Secretary urged people to do their “civic duty” to participate in the scheme — which in the absence of a working app will require those who have tested positive to provide call centre staff with details of their recent contacts.
Amid a growing uproar over how the government has handled the outbreak, and the news that the UK has the world’s highest rate of excess deaths resulting from the pandemic, the “civic duty” request drew an indignant response.
Oxford University professor and primary care expert Trish Greenhalgh was among those rejecting the plea. As she put it bluntly: “It is not my ‘civic duty’ to participate in a scheme that is ‘test, track and trace’ by name only, run by cronies, aligned weakly if at all with our public health and primary care infrastructure, and tied to a vainglorious political target.”
This concedes that “personal identifiable information” (a term not used in privacy law in the UK; “personal data” is the term under the Data Protection Act 2018) will be retained for 20 years on a “secure cloud environment”.
This will include name, address, date of birth, postcode and phone number.
See also: Gov’t Launches Test and Trace – But There’s Still No App
Experts noted that it was not unusual for the NHS to keep data for lengthy periods, but with public distrust surrounding the government’s response to the COVID-19 outbreak high, many suggested that given the centralised nature of the response, some form of consultation should have occurred.
Ravi Naik solicitor and legal director AWO, a data rights agency, told Computer Business Review today: ” Looking at this policy itself there are a few things here that give me concern. Probably the main one is this idea that the data can be seen by, quote, those who have ‘a specific and legitimate role in the response and who are working on the NHS Test and Trace’”.
He added: “‘Specific and legitimate role’ is one of the most vaguely defined terms I’ve ever seen in a privacy notice and it’s really concerning when we are talking about our collective response to coronavirus.
“The bigger concern is that there are companies we know the NHS is working with in the data store that have questionable approaches to data protection. For this system to work we need confidence as without uptake there’s no utility. That lack of transparency is a real concern.”
Public Health England has been contacted for comment.