UK Government ‘breaks own GDPR compliance regulations’
Privacy campaigners say the UK Government has broken a vital GDPR data protection law in its development of a Covid-19 test and trace programme.
The Open Rights Group says an admission to them by the Department of Health that they failed to conduct a data protection impact assessment (DPIA) before launching the programme shows it has been operating unlawfully since it began at the end of May. The government says there is no evidence of data being used unlawfully.
The test and trace system requires people to give a number of potentially sensitive items of information including who they live with and places they recently visited, as well as names and contact details of people they have been in close contact with, including sexual partners.
The Information Commissioner’s Office (ICO) has confirmed it is now working with the government “as a critical friend” to make sure data is processed in accordance with the law. But in a statement to the BBC, the ICO said while they recognised the urgency in rolling out the programme, “people need to understand how their data will be safeguarded and how it will be used” if there is to be confidence in handing over sensitive data.
DPIAs and GDPR have been a requirement for anyone handling personal data since 2018 with fines of up to €10 million or 2% of turnover for breaches of the rules.
Conflict International Director of Compliance, Roger Bescoby said: “DPIAs are only usually required where processing is ‘likely to result in a high risk’ to the data subject. In the world of surveillance, where anything can happen, it is best practice to always have prepared a DPIA and have it on record, which Conflict International does as standard.”
As you would expect, Conflict International takes considerable steps to protect your confidentiality and so please get in touch if we can help you on +44 (0)20 7917 2939 or email us in the strictest confidence [email protected].