Privacy campaigners are planning a legal challenge as it was revealed that the UK contact tracing app retains personal data for up to 20 years …
A privacy notice (link not available outside the UK) says that those who declare a positive test result for coronavirus will see their personal data retained for 20 years, while contacts without symptoms will have their data kept for five years. The usual GDPR right to have personal data deleted on request may not apply.
The personally identifiable information collected by NHS Test and Trace for people with COVID-19 symptoms is kept by Public Health England for 20 years.
The personally identifiable information collected on the contacts of people with COVID-19 but who do not have any symptoms is kept by Public Health England for 5 years.
This information needs to be kept for this long because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments […]
You can ask for any information held about you to be deleted. This is not an absolute right and Public Health England may need to continue to use your information. We will tell you why if this is the case.
For those who test positive, the personal data retained is extensive.
- full name
- date of birth
- sex
- NHS Number
- home postcode and house number
- telephone number and email address
- COVID-19 symptoms, including when they started and their nature
The Guardian reports on the planned legal challenge.
Privacy campaigners are preparing a legal challenge to the NHS’s coronavirus test-and-trace programme as concerns grow about the amount of contact data that will be collected and retained by government.
The Open Rights Group (ORG) has instructed the data rights lawyer Ravi Naik to draft a letter outlining its concerns after Public Heath England said it would retain “personally identifiable” data of those who test positive for 20 years.
Jim Killock, the ORG’s executive director, said: “The government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control.”
ORG says that the government also appears to be breaking the law by not carrying out a privacy impact assessment before launching the app.
The government has failed to complete a legally mandated data protection impact assessment, which is supposed to be filed with the Information Commissioner’s Office before any “high-risk” activity is carried out.
Opposition MPs are calling for legislation to ensure the contact tracing app retains personal data for coronavirus purposes only, and cannot be used for other purposes further down the line.
FTC: We use income earning auto affiliate links. More.
Comments